The role of the Data Protection Officer, or the ‘DPO’ for short, is crucial for compliance with the EU General Data Protection Regulation for some organisations and, depending on where you are in the world, this role could also be required within your local data protection legislation.
It’s a much debated role and many organisations are having detailed conversations about where it sits in the organisation’s structure, who it reports to, and how it is resourced.
The GDPR regulations come into force on 25 May 2018 and at this point, if you require a DPO you will need to name them.
It is a role appointed for certain types of controllers and processors as detailed below:
It might be you are a small organisation but, your processing of personal information is large scale, so size of data processing matters. In line with the data protection principle of accountability, you will need to record your consideration as to whether you should appoint a DPO. We have a tool to help you assess this, for anyone interested please contact us, but, as it’s not the subject of this article, we'll move on.
What’s the main function of the DPO?
The DPO exists to protect the fundamental rights and freedoms of the individuals whose data is being processed by a data controller or processor.
How is the DPO designated in the GDPR?
Article 37 sets this out:
You could see the DPO as being the ‘Voice of the Data Subject’ in the organisation. They represent them and ensure that the data controller is processing in accordance with the regulations. This is a multi-faceted role and combines training and a strategic advisory role with monitor and critical friend, and a close relationship with the Supervising Authority.
The Position of the DPO
A DPO’s position is clearly written in the regulations:
Which function should the DPO be in and how senior should they be?
The GDPR is mute on the topic of which function and at which level the DPO should be. This is causing some deep discussions and head-scratching for data controllers everywhere. With such a crucial role and time running out, data controllers and processors need to decide:
Solutions in terms of the where the DPO sits in organisation structure’s vary and have included:
What are the requirements for the DPO role?
The requirements of the role are set out in the EU GDPR and these will need to be translated into a job description, or a services contract, if outsourcing.
A checklist of questions to support your analysis
Organisations tackling the task of analysing their DPO role and function might find the following questions helpful to ask themselves:
What should I consider when hiring a DPO?
A DPO is going to be a crucial role in your organisation. Technical skills with a track record in data protection is going to be a given or at the very least, the ability to train up quickly. They will need to build great relationships internally and externally, train and advise and also hold the line to protect the individual’s data. They also cannot be penalised for doing their job. Considering all of this, it is not an easy pair of shoes to fill.
An organisation might do well to hire with a well-balanced view on behavioural competencies as well as technical and also consider advanced selection tools and case study tests.
It’s likely that, in the worst-case scenario, this role’s ability to manage a serious data breach will be influential as to whether an organisation will receive a rectification plan and have to remediate, or a significant fine.
How do I resource a DPO?
The GDPR allows you to consider insourcing or outsourcing the role. If insourcing you can consider a secondment to allow for a rotation on the role and the opportunity to bring in fresh thinking, or a permanent hire.
If outsourcing there are various organisations that offer DPO outsourcing services and they can be contracted to provide full-time or part time support. If you are part of a group of companies you may also consider outsourcing within the group.
The following is a summary checklist that can be used in order to assess how you might resource the DPO:
The EU Article 29 Working Party have also published some helpful guidelines:
We hope that this article has been useful? We’re working with organisations who are answering these questions. If you want more information on a target operating model for a data protection officer, an approach to a GDPR project, online training materials or anything else, we are always delighted to hear from people.