Data Protection Officer (DPO)
Written by Rose Miller on 20/07/2018
What is a Data Protection Officer (DPO)?
A Data Protection Officer (DPO) is an advisory role concerned with the security of personal data. They oversee data protection strategy and implementation in order to maintain good security of personal data and ensure compliance with GDPR legislation. A DPO will be the single point of contact for all matters relating to personal data, particularly in the case of a data breach.
What are a DPO’s responsibilities?
A DPO’s responsibilities include informing and advising data processors, data controllers and any employee involved in the handling of personal data, highlighting their individual obligations under GDPR. A DPO must monitor compliance with the regulation across an organisation. This will include identifying and analysing all processing activities and highlighting problematic areas. A DPO will ensure that all the relevant safeguards are in place to protect personal data and assign the relevant roles to staff, as well as providing advice and training where required. They will also oversee the conducting of data protection impact assessments (DPIAs) and monitor their performance.
A Data Protection Officer will liaise and cooperate with the relevant regulatory authority (the ICO in the UK), particularly in the event of a data breach. Similarly, the DPO will act as a single point of contact for all enquiries and requests from data subjects.
Furthermore, under Article 33 of GDPR legislation any breach which poses a risk of causing harm to the data subject or their fundamental rights must be reported to the regulatory body within 72 hours of it being known. How the breach occurred, the number of people affected, and the amount and type of data concerned must also be reported, along with a remediation plan. Without a DPO, this information may be hard to obtain, relying on several different departments giving different information. Whilst a single person must take responsibility for data protection regardless of whether a DPO is appointed, this person may not have all the information required in the event of a breach.
A dedicated DPO or a member of staff carrying out these duties will make the process a lot smoother and will emphasise a level of transparency. If, due to miscommunication or poor data management you are unable to satisfy the regulator, then your company will be put at unnecessary risk.
Data Protection Officers’ GDPR requirements
As briefly mentioned earlier, a DPO is necessary if you are an organisation whose core activity is "monitoring individuals regularly and systematically on a large scale.” Like a lot of government legislation, this is frustratingly vague.
For starters, what constitutes as ‘large scale’ is not defined throughout GDPR. This is not to say that as time progresses we won’t see a minimum figure introduced, but for now, it is very much a judgement call. It’s recommended that the following factors are taken into consideration:
- The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
- The volume of data/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
The Data Protection Working Party defines regular as:
- Ongoing or at particular intervals
- Recurring at fixed times
- Constantly or periodically taking place
Having a dedicated, full-time DPO may be beneficial despite the significant annual wage cost. Not only can this chosen person fulfil requests from data subjects (and remember this includes employees too), but they can devote more time to data and process mapping and improving security and processes in order to avoid breaches.
Should a breach occur, this person will already have most of the necessary information and can easily liaise with other departments to obtain more in order to offer the regulator a comprehensive report of the situation.
Employees will also have a familiar face with whom they can consult regarding their own personal data or pass on questions from external sources. Being based in the office and knowing the business inside and out can help the DPO fulfil their obligations with greater efficiency.
Costs of outsourcing a DPO
Whether you are legally obligated to appoint a Data Protection Officer or not, there has to be someone who takes charge of personal data and its protection within every business holding data on EU/UK citizens. Having a dedicated DPO can alleviate the stress of having to maintain GDPR compliance along with seeing out other duties. It is a varied, time-consuming role which will be invaluable for protecting your business. Fines aside, a data breach or poor data management can have serious reputational impacts and any data subjects affected by the breach can make separate damage claims.
Be sure to make an informed decision when it comes to selecting your DPO. Whether you appoint a member of staff, hire a dedicated DPO or plan on outsourcing this role, be sure to go for an option that best suits your business.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.