Understanding the Role and Responsibilities of the DPO
Written by Nicky Whiting on 15/05/20
In other words, having Donald Trump sworn in as the 45th president of the United States and sealing the British ‘Leave EU’ vote. The algorithm and database have since been likened to a psychological warfare tool, threatening our privacy rights as well as jeopardising the foundations of our democracy. With data overtaking oil as the most valuable resource, this scandal further reinforced the need for data protection laws, including the European General Data Protection Regulations (GDPR) introduced only a couple of months later.
Unfortunately, reports suggest that many organisations have yet to achieve compliance with GDPR. Over a year after its implementation in 2018, a study conducted by Egress discovered that more than half of businesses (52%) are not fully compliant with GDPR regulations. British Airways and Marriott International are two of the more high profile cases of organisations who simply had not implemented adequate safeguarding measures, subjecting them to £183 million and £99 million in fines, respectively. GDPR compliance is an involved process that cannot be achieved overnight. Rather, it is an ongoing learning curve that requires time as well as someone qualified and well-versed to oversee its implementation and long-term compliance as part of the business’ operations. That person is a Data Protection Officer (DPO) and, among the many new rules GDPR has implemented, is a further tightening of the requirements and criteria for this key role.
7. Keeping up to date with the latest data privacy legislation and rulings by the EDPB and Supervisory Authorities
Given that GDPR is a relatively new law, there are still a lot of unknowns regarding its interpretation. The DPO plays a key role in ensuring the business is informed of new guidance from regulatory authorities and also understands how new privacy legislation might affect the business.
As such, the European Data Protection Board stipulates that the DPO must have an in-depth understanding of GDPR as well as information technology and data security. They should also be well-informed about the business and its industry.
What GDPR says about a DPO
Reporting to highest levels of management and autonomy
DPOs must directly report to the highest management level and should not receive any instructions about their overall performance of duties. They should have full authority of their own budget, which allows them to:
- Conduct site visits
- Hire a team to fill in any skills gaps, or to provide support in case of a crisis/security issue
- Ensure employees receive the necessary security training
- Invest in educational material and events
- Become a member of associations for DPOs and privacy professionals, including the IAPP
Furthermore, they should have the mandate to conduct investigations without fear of reprisals. Indeed, no disciplinary action can be enacted against the DPO for the advice they offer. Equally, they are not personally liable if the advice given was not actioned by the organisation.
There are many factors to consider when looking to appoint a DPO and there is no one size fits all. While the search for the right DPO may at first present itself as a burden, it is worth investing the time – especially as the stakes have never been higher, both on a reputational and financial front. If you would like to discuss your DPO requirements, or find out more about Bulletproof’s Outsourced DPO packages, designed to suit any organisation size, please get in touch by emailing email@example.com or give us a call on 01428 532 900.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.