The data protection officer (DPO) is an organisation or company’s go-to source for implementing the General Data Protection Regulation (GDPR) and for data protection advice.
This means making sure all necessary changes are made, all staff members are properly trained in data protection and, once the implementation process is concluded, monitoring compliance with the GDPR and other data protection laws throughout the organisation. Also, the DPO liaises between the Information Commissioner’s Office (ICO) and the organisation and is the first point of contact for all data subjects – both within and outwith the organisation.
Faced with this new requirement and the wide-ranging duties, how does an organisation go about finding that elusive creature, the perfect DPO?
There are several criteria that a DPO must meet. The obvious one is that a DPO must have expert knowledge of data protection law and practices. However self-evident this sounds, it is difficult to ascertain at this stage, as currently there is no recognised certification mechanism for full expertise.
Next, a DPO should have a good understanding of the organisation’s governance structure. This requires buy-in from the management – ‘get the Board on board’ – as the DPO will need to have the backing of the board to instigate the necessary changes. Without endorsement and the necessary resources, this will be an uphill struggle that is doomed to fail.
A DPO must also have a certain level of independence and a degree of protection against dismissal or other sanctions on grounds relating to their performance of their tasks. The DPO must be able to make the decision to notify the ICO of a major breach, and the protection against disciplinary action or dismissal if the board disagrees with the decision.
The DPO can be either directly employed (‘internal DPO’) or have a service contract (‘external DPO’) with the organisation. He or she can have other tasks within the organisation, so long as there is no conflict of interest with the DPO role. This means that the DPO cannot make decisions as to the purposes for processing personal data. At the same time, DPOs cannot be the Chief Information Security Officer, as DPOs would be forced to investigate their own department – most breaches are caused by a security infringement.
If you are a small(ish) organisation that still needs an experienced DPO, but cost is a problem, then the possibility of an external, shared DPO exists. This solution has advantages and disadvantages.
The advantages are that an external, shared DPO will have no political or organisational baggage, will be able to act in an unbiased manner without fear for their job, will have no concern over favouring certain departments or individuals, may be listened to with more respect than an employed colleague, and, most importantly, will incur lower costs.
The disadvantages are, however, considerable. If a DPO is not part of the organisation, then there is greater difficulty with accessibility to data subjects and all sharing parties, as well as availability to resolve issues raised by both data subjects and ICO. Allocation of time and tasks will need to be carefully considered. Moreover, organisations will still need to employ information practitioners to ‘do the doing’ internally.
Also, a shared, external DPO will have no intimate knowledge of the workings of the individual organisations and how these may vary from each other. Finally, a problem that will need to be considered is what happens if a breach occurs in two organisations simultaneously. To make matters worse, what happens if at that particular time, the shared DPO is on annual leave or ill?
A DPO in a large organisation will very likely face an immense amount of work. One possible way to manage this could be the creation a network of data protection champions – one or two in every department. These individuals will receive additional training and will then be able to conduct a triage of questions and provide advice and assistance with Data Protection Impact Assessments. They will be able to answer easy, business-as-usual questions and only complex questions will require escalation to the DPO.
Finally, effective collaboration throughout an organisation will be crucial for any DPO.
Dr Rena Gertz is data protection officer at Edinburgh University.
Where a DPO is needed
The General Data Protection Regulation (GDPR) was adopted on 27 April 2016 and will become enforceable in Member States on 25 May. One of the changes this new legislation introduces is the requirement for some organisations to appoint a Data Protection Officer (DPO). Article 37 of the GDPR and the Law Enforcement Directive regulate when this is the case – a DPO is needed where:
- The organisation is a public authority, or
- The organisation’s work involves regular and systematic monitoring of individuals on a large scale, or
- The organisation’s work involves processing large volumes of ‘Special Categories of Data’ or information about criminal convictions and offences.
The value of engineering in the curriculum
If you were to look back at the greatest discoveries in science and technology over the past 30 years, you would soon notice that engineering is a key catalyst for…
Glasgow Council leads the way in digital learning
In 2017, we at Glasgow City Council took the opportunity to overhaul our digital approach to education and redefine learning, keeping in mind the core aim of reducing the impact…
Why data is the new oil
In 2006, British mathematician Clive Humby coined the phrase, “Data is the new oil”. This analogy has been proven correct as data now powers entire industries and holds tremendous value…
Global Entrepreneurship Week offers chance to reset aspirations amid new innovation landscape
With the advent of Global Entrepreneurship Week, it is an opportunity for us to celebrate the innovators, the grassroots risk takers who drive the economy, and those who invest in…
Aberdeenshire leads the way in work-based learning
There has long been debate about the distinction to be drawn between vocational and academic learning. However, in Aberdeenshire Council the focus is on what is best for our learners;…
5G connectivity can ’empower people to restore our planet’
Six years on from the Paris Climate Accords and the world is still getting warmer. We are now seeing first-hand the impact of climate change – the floods and fires…
Cracking the code to offline computational thinking
In our digitally connected world, it can be argued that coding and especially computational thinking have become essential parts of a new ‘computing literacy’ to support traditional literacy. These computational…
Edinburgh rocket company encourages girls to reach for the stars
Since Yuri Gagarin’s maiden trip into space 60 years ago, the aerospace industry has been largely dominated by men. Men are, on average, paid £11,000 more than women. The mean…