Appointing a DPO

A Data Protection Officer (DPO) is a lot like a little angel on your shoulders, except instead of a little harp, they have a complete understanding of GDPR and other data protection laws. Their job is to make sure you don’t listen to the devil on your other shoulder encouraging you to do all sorts of non-compliant things, like process data unlawfully or without permission. In business language, they are responsible for overseeing data protection strategy and implementation to ensure compliance.

But what exactly do they do?

Quite a lot is the short answer, but as you’re probably here to read the specifics, I’ll elaborate. The core tasks of a DPO are:

• To make sure businesses are aware of their responsibilities
• To ensure data subjects (those who the data pertains to) are aware of their rights
• To ensure policies and procedures are in place across the business to help with and maintain compliance
• To give advice and recommendations across the business when it comes to the handling of personal data through the use of Data Protection Impact Assessments (DPIAs)
• Raise awareness within the business
• Handle queries, complaints and requests relating to personal data
• To be the main point of contact between the business and the Supervisory Authority (for the UK this is the ICO)

One thing to remember about that last one: contacting the ICO is something the DPO has to do in the event of a data breach which puts data subjects at risk. Whilst a data breach of this kind can pose the risk of a fine, this is a legal obligation. Don’t get mad at your DPO when they do this. It’s like if a child breaks their mum’s lamp; they’ll be in more trouble if she finds out herself than if they come clean straight away and apologise. Believe me, the fines can be far more severe than a week’s grounding.

Characteristics

What sort of person should you look for to be your DPO? You certainly don’t want any old Tom, Dick or Harriet guessing their way through and going along with whatever you say. You want someone who’s willing to stand up for what is right and who lives and breathes data protection.

Your ideal DPO must be:

• Approachable (think of them as your data protection agony aunt)
• Well-informed and qualified in data protection laws
• Independent from the business functions. This is to make sure they stay unbiased
• Responsible
• Organised
• Experienced in information security
• Equipped with strong communication skills

Do I need to appoint a DPO?

Yes. No. Maybe? It depends. Under GDPR, you must appoint a DPO if:

• You are a public authority or body (except for courts acting in their judicial capacity)
• Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking)
• Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences

Don’t do any of that stuff? – Then technically, you don’t need one. Hooray! Though, think really hard about it, as like all legal speak it is a touch vague and open to interpretation. Check out our previous data protection officer blog for a more in-depth look at the above.

Whilst you may not need one under GDPR, you can still get one voluntarily if you’re the cautious type or if you think you’re going to fall into one of those categories in the near future. Make sure whoever you appoint doesn’t have a conflict of interest in fulfilling their role as a DPO. Whether you appoint one or not, you must document this along with your reasoning to appease the ICO when they come questioning. Watch a Bulletproof expert explain more about appointing a DPO in this video:

Where to put them?

The best place to put them is in their own department. You can’t have them working under a sales, marketing or support manager because these are core business functions and your DPO may become biased (unintentionally or not) as a result.

If you were to plot the DPO position on your company tree, it would be on the branch just below the highest manager possible. In most cases, this is the big boss CEO, though it can be a different C-Level position so long as it won’t cause conflicts of interest or bias. We’re all responsible for data protection, but the CEO is responsible for the whole business and will take ultimate responsibility for any fines incurred if the company makes a booboo.

Outsourcing is not a dirty word

By now, you’re probably thinking, ‘oh great, now I have to shell out a hefty salary for a DPO.'. Well… not necessarily. The question you have to ask yourself is, am I processing enough data to warrant hiring a full-time DPO?

For most SMEs then the answer is almost always no, in which case an outsourced DPO makes the most sense. Getting the position outsourced means you’ll get someone who is already trained and, crucially, independent from the rest of the business. Perhaps most importantly, you’ll only pay for the time they’re needed for.

Outsourced DPOs are not a solution for enterprise-class organisations or businesses that process vast amounts of data — they will require a full-time DPO. But for the rest of us, outsourcing just makes sense. Either way you choose to do it, having a data protection officer on board will help your business become compliant with GDPR and maintain the best standards of data privacy.