Although we have long known that the General Data Protection Regulation (GDPR) will require a lot of companies to appoint a Data Protection Officer (DPO) in order to be compliant, there is still considerable confusion around the role, even as the date that the regulation comes into force grows ever nearer.
FourthLine have had many conversations with our clients about GDPR, and this article aims to answer some of the most common questions that are put to us as organisations look to take on a DPO.
What is the DPO?
Although the specific role of the DPO is not clearly defined within the GDPR, they are going to have responsibility for all issues relating to the protection of personal data within your organisation, ensuring that you are compliant with GDPR requirements. They will act as figurehead for data protection and will be afforded some protected and independent status under GDPR.
It’s important that you think of the DPO as a business enabler. It will be their role to go around your business teams helping them to establish new processes or develop new products or services, and they should do it in a way that puts data protection at the heart of what your doing from the outset. This will ultimately lead to better services and products in the long term.
Try not to think of it as a trade-off between data protection compliance versus what you need to do as a business. If anything, you should think beyond compliance and consider what you should be doing from an ethical point of view. Of course, the DPO needs to think about compliance, but they also need to help your business make ethical judgements and decisions around how you want to behave with regards to personal data.
Do you need a DPO?
The GDPR outlines the different types of organisation that need to appoint a DPO, but again some of the terms and considerations are a bit vague. Ultimately it’s a judgement call on your behalf. It’s worth taking a step back from the regulation and consider the relevance of data processing to your organisation. What data do you have? What do you do with it? Are there any inherent risks to your data processing activities?
If you are carrying out large scale processing of data or you’re using data analytics in a significant way to drive your business strategy, then you are a data driven business and probably require a DPO. However, if you find that you are only processing employee data then perhaps you don’t need to hire a DPO (though it may be worth hiring a data protection professional voluntarily to mirror the role of a DPO to ensure you do remain compliant).
Where should the DPO sit?
This is a question that comes up time and time again, and unfortunately there isn’t one single right answer. Ultimately, as long as there is no obvious conflict of interest, then where you place the DPO doesn’t matter. The most important thing is that they are empowered to work across multiple functions to get the job done.
Ask yourself what the driving decision is behind hiring a DPO. If you are primarily looking to make your organisation GDPR compliant, then you may want to sit them within your legal team. On the other hand, if you’re looking for the DPO to drive behavioural change and adopt a holistic approach, then you may want to put them into a more operational role.
What qualities should a DPO possess?
There are many qualities you should be looking for from a DPO. Beyond the more obvious attributes, such as expertise in the area of data protection law or understanding how IT or security systems work, it’s important that you hire somebody who is able to build networks in all areas of your business, and across geographical borders if necessary.
The DPO you appoint should be able to balance both the operational and regulatory angle of the role. Essentially, they need to be able to design policies and processes, but also roll up their sleeves and get things done when required. They should be a business enabler with an ethical mindset and the ability to strategically think about the data in your business and the direction you are taking with your data.
Should you outsource or share a DPO?
If you didn’t want to employ a full time DPO then there is the option to outsource the position, and it’s something that several clients have discussed with us. Outsourcing would work best if your data activity is straightforward, but there is the potential that it could lead to a cautious, safety-first approach whereby the outsourced DPO identifies some of the risks without helping you to find a solution.
Another idea that has been suggested by clients is the option of sharing a DPO with other firms or organisations. Again, this is a possibility if your data processing is fairly simple, and if you are completely certain that there is no conflict of interest or competition conflict with the organisation you are sharing a DPO with. It’s worth remembering though that the GDPR states that your DPO should be ‘easily accessible’ by any organisation this person works with, so this could become more difficult if they are working for several organisations at once.
