Data Protection Officer (DPO)

Why do I now need to have a Data Protection Officer (DPO)?

GDPR has changed the regulations around the legal requirements for employing or engaging certified Data Protection Services.

The Legal Justification

The organisation:

  • Reason No 1 – Is a public authority (except for courts acting in their judicial capacity)
  • Reason No 2 – Carries out large scale systematic monitoring of individual (for example online behavioural tracking)
  • Reason No 3 – Carries out large scale processing of special categories of data or data relating to criminal convictions and offences)

Our view on this:

We think that if you are processing large amounts of sensitive personal information or information about children then we would advocate hiring a Data Protection Officer or more likely outsourcing this to a company like ourselves.

Business Justification

All businesses are going to be asked about their levels of adherence to GDPR when bidding for new work.

Having a DPO in place demonstrates a much higher level of compliance as the DPO’s role is partly to monitor and assure your compliance on an on-going basis.  This will allow you to be much better placed to win the confidence of prospective clients that you are going to handle data privacy appropriately.

Challenges with Hiring a DPO

These resources are difficult to hire in the current market place and they command a fairly high salary, approximately £70k per annum.

Avoiding the Conflict of Interest

You have to have a DPO without a conflict of interest so that they can be senior enough but act independently as required. Therefore, typically senior management, board members, Directors, functional heads etc cannot be appointed as a DPO.

The Simple and Cost Effective Solution

The easier, cheaper and more cost effective option is to outsource this role.  Data Privacy Services offer the DPO role as a Service.

GDPR Compliance – Step by Step Guide

Step 1 – Assign Accountability

  • GDPR is a complex regulation, it needs an individual within the organisation to be accountable for compliance
  • Review the requirements for formally implementing the role of a Data Protection Officer (note this isn’t mandatory under GDPR for all processing scenarios)
  • Ensure that whoever takes accountability has the support of the organisations leadership team

Step 2 – Understand GDPR (Basic Level)

  • Research as much as you can online
  • Review the information on the GDPR Website
  • Review the FAQ’s on our web site

Step 3 – Risk Awareness

  • Ensure that the organisations senior management are aware of GDPR
  • Ensure that they understand the key risks
  • Discuss the financial risk – 4% of last years turnover or up to 20M Euro’s whichever is the greater
  • Discuss the risk to reputation, quote well know examples of how data breaches can result in loss of business and insolvency
  • Discuss the risk to new business opportunities, if you are not compliant you will find it harder to win future business

Step 4 – Complete a Readiness Assessment

  • Discuss the best way to review ‘how ready you are for GDPR’?
  • The best approach for most organisations is to seek professional help
  • Asses how your organisation is prepared in relations to the key Articles and specifically the principles of the GDPR (under Article 5)

Step 5 – Agree The Compliance Framework

  • Review the detailed out from the Readiness Assessment
  • Agree your desired target state (your GDPR compliance framework) to become compliant
  • Focus on preparing for implementing the urgent priorities

Step 6  – Complete an Inventory

  • You need to know where, how, by whom and for how long your personal data is processed
  • Focus on HR information processes to start with, i.e. the first process could be ‘new starter’.
  • Then assess all of your customer processes e.g. ‘entering customer information’ info a CRM solution
  • Then asses all of your supplier processes e.g. ‘setting up a new supplier’ in your invoicing system
  • Don’t forgot other forms of processing such as your website, CCTV, voice recording, location tracking etc.

Step 7 – Detailed Risk Assessment

  • Undertake a full detailed risk assessment of all of your key processes
  • Complete data privacy impact assessments
  • Assign priority activities for risk mitigation

Step 8 – Deliver the Priority Activities

  • These will vary organisation to organisation
  • Ensure your processing has a legal basis
  • Ensure that you can deal with access requests
  • Ensure that you can deal with data breaches (see our DPO as a Service information)
  • Ensure that your web site is compliant
  • Ensure that you have appropriate security in place
  • Ensure that your partners are aware of GDPR
  • Ensure that the data they process on your behalf is safe

Step 9 – Deliver the Medium to Long Term Objectives

  • Get all of the necessary contractual relationships in place (Processing and Model Contracts)
  • Implement all of the required policies and procedures that you require
  • Make changes to the way data privacy is managed, implement privacy by design

Step 10 – Maintain GDPR Compliance

  • Implement an annual compliance plan
  • Carry out frequent assurance review (see our DPO as a Service)
  • Review and update data privacy impact assessments
  • Carry out information security audits (see our Security Services)