Like many other organisations, we have been working through our GDPR compliance plan and evaluating whether we need a Data Protection Officer (DPO). Articles 37-39 of the Regulation describe the criteria for this role to be mandatory, namely, if you:
As ‘large-scale’ is not defined, the Article 29 Working Party provided some useful FAQs that helped us determine that we did, in fact, meet the relevant threshold, given that we process large and diverse amounts of special categories client data in the regular course of our business. Bear in mind that ‘large scale’ has nothing to do with the size of your organisation. The DPO Decision Tree provided by DPO Network Europe was also useful.
Having established the need, we looked at our options for appointing a DPO. This role can be an existing employee as long as there is no conflict of interest and, in fact, we can even source our DPO externally.
Our starting point was to make sure we understand what the DPO role entailed – almost a mini job description. So, duties are:
Practically, this means that the DPO will need be aware of and assess any new processes and systems involving personal data across any part of your business.
In terms of skills, the DPO needs advanced knowledge of the GDPR and other relevant DP laws. They need to understand the business, the data it handles and how to interact with the customer base and the regulator. The DPO needs to understand data security to a good level and needs to be up-to-date with the latest threats to the business and the data it protects. By the way, if you can meet this specification, there currently are plenty of jobs out there!
If you are looking internally, the immediate assumption might be to look for the role within your ICT department. However, this would create a conflict of interest as the regulation clearly states that the DPO cannot have a dual role of governing data protection whilst also defining how data is managed. This also rule out positions such as CEO, CFO, CIO or Head of HR whose roles may also conflict.
The DPO role is fundamentally about governance and compliance and internally this will be the best place to look – particularly if you have someone in place who already has a role in information governance – as long as that role is suitably senior and recognised as a board level adviser.
We also considered using an external or shared DPO. There are plenty of companies now jumping on the bandwagon to offer a ‘DPO as a service’ which, on the surface, might seem a good option.
This service provides a named consultant who will carry out the activities listed above on your behalf, wearing your ‘corporate hat’. The virtual DPO can actually be a team of people, each providing their own specialities, as long as a specific person is nominated as the lead of the DPO function.
Having spoken to a few different companies, they suggest a similar model:
If you do go down this route, IAPP provide a useful set of questions to ask a potential service provider.
How well this will work, depends largely on how complex your business is and how often you change your systems and processes. I’ve already mentioned that it’s important for the DPO to have a good understanding of how your business operates. For an organisation like ours which is complex with a number of different types of business and dealing with a wide range of systems and processes involving personal data, the challenge for an external DPO is how to become and remain immersed in the business, without the cost becoming prohibitive. The same issues may apply to a DPO shared with another organisation.
Having explored the options, for us, it made sense to go down the internal route. We want to embed a culture of ‘privacy by design’ into the group, so it’s important that our DPO is seen as an integral part of our business and that staff have easy access to get advice or expertise.
However, if you don’t have anyone suitable in your organisation and your processes are less complex and don’t change too frequently, the ‘DPO as a service’ may be right for you.