The implementation of the General Data Protection Regulation (GDPR) in the spring of last year brought many positive changes including greater transparency and improved protections for data subjects, like requiring consent, anonymizing collected data and notifying subjects about data breaches.
While these regulations have put much needed safeties in place for our personal data, they have also saddled EU businesses with the daunting task of establishing protocols to ensure GDPR compliance.
Staying within GDPR guidelines needs to be a huge priority; not only because it safeguards our personal data but because organizations that don’t get compliance right risk facing stiff penalties from regulatory agencies.
A key requirement under the guidelines is that certain companies appoint a data protection officer (DPO) to monitor the processing of personal data, and ensure GDPR compliance.
You may be wondering how to determine whether or not your company needs to appoint a DPO. You must do so if your organization:
- Is a public authority (this does not apply to courts acting in a judicial capacity)
- Monitors individuals regularly, systematically and on a large scale—for example, by tracking online behaviors—as a core activity of its operations
- Processes sensitive data, e.g., that related to criminal convictions, location or DNA
Also keep in mind that even if your firm is not required to appoint a DPO under the GDPR, you will still need to comply with GDPR guidelines.
What Does a DPO Do?
The primary function of the DPO is to monitor GDPR compliance within a company. She ensures that data processors and controllers meet their responsibilities of protecting data by advising on the gathering, processing, managing and storage of personal data.
The DPO is not directly responsible for maintaining compliance. She acts as intermediary between her organization and the Information Commissioner’s Office (ICO), which is the independent regulatory office that handles matters relating to the GDPR. Additional duties of a DPO include:
- Liaising with regulatory bodies when there is a data breach
- Advising on the creation of Data Protection Impact Assessments (DPIAs), which identify, analyze and seek to minimize data protection risks of a particular project or plan
- Conducting data mapping exercises to help effectively manage risks to personal data
- Providing training for any members of staff who may need to support the DPO in her duties
Many Firms Don’t Need a Full-Time DPO
Here’s the rub. The role of DPO, although exceedingly important, is not typically large enough to require businesses to hire a full-time dedicated employee for the position.
The fact that a data protection officer is a necessary function—but one that often doesn’t require hiring a full-time employee—presents some challenges.
The Challenges of Hiring a DPO
Companies may consider hiring from within their organizations, or adding on to the duties of an existing employee to fill the role of DPO.
This can be done but be aware that conflicts of interest can happen. For example, under GDPR guidelines, it’s not acceptable to appoint an employee to be DPO if she is a controller of any kind of processing activities. This means that the head of Human Resources cannot also be your DPO.
Another requirement that can make it difficult to appoint a DPO—especially from within your organization—is that he must be able to perform duties independently. This means that he cannot be required to answer to a supervisor, only to top management.
Necessary restrictions like this effectively eliminate some of the easier ways companies might opt to fill the role of DPO.
Although compliance can be onerous for large interests like banks and insurance companies with substantial cash flow, it can be even more so for smaller concerns like startups that employ only a few people.
You Must Do a Thorough Analysis Before Deciding Whether You Need a DPO
Compliance is a must even if a company is not required to appoint a DPO under GDPR guidelines.
If you’ve determined that a DPO is not required for your organization, hiring one can still be greatly beneficial in making sure the business stays GDPR compliant.
The Article 29 Working Party, the EU advisory body that helped draft the GDPR, stipulates that the onus is on organizations to demonstrate that they do not need to appoint a DPO. That is to say, businesses should assume that they need one, and conduct a thorough internal analysis before making a final determination.
It may also happen that your business simply doesn’t need a full-time, dedicated employee to fill the role of data protection officer. In either situation, outsourcing the role of DPO can be an excellent solution.
A Virtual DPO Can Step in When You Don’t Need a Full-Time DPO
For many small- to medium-sized businesses across the EU who don’t require the services of a dedicated, full-time data protection officer, a virtual DPO is a far more convenient and cost effective solution.
An outsourced, virtual DPO serves all the functions of a human onsite DPO; providing training, answering questions about how to interpret the GDPR, handling data breaches, and communicating with supervisory authorities on behalf of your company.
It takes an almost impossible combination of skills and experience to make a great data protection officer. She should have management experience and cyber-security expertise. She will also need expertise in risk management, governance and compliance plus a knowledge of technologies relevant to data protection. Add to that great communication skills and a strong understanding of the legal aspects of data protection.
Finding a human with such a diverse skill set is no easy task; especially if the role is only a part time opportunity. Fortunately there are outsourcing solutions available that make the continuous monitoring necessary under GDPR more easily doable for more businesses.