This means making sure all necessary changes are made, all staff members are properly trained in data protection and, once the implementation process is concluded, monitoring compliance with the GDPR and other data protection laws throughout the organisation. Also, the DPO liaises between the Information Commissioner’s Office (ICO) and the organisation and is the first point of contact for all data subjects – both within and outwith the organisation.
Faced with this new requirement and the wide-ranging duties, how does an organisation go about finding that elusive creature, the perfect DPO?
There are several criteria that a DPO must meet. The obvious one is that a DPO must have expert knowledge of data protection law and practices. However self-evident this sounds, it is difficult to ascertain at this stage, as currently there is no recognised certification mechanism for full expertise.
Next, a DPO should have a good understanding of the organisation’s governance structure. This requires buy-in from the management – ‘get the Board on board’ – as the DPO will need to have the backing of the board to instigate the necessary changes. Without endorsement and the necessary resources, this will be an uphill struggle that is doomed to fail.
A DPO must also have a certain level of independence and a degree of protection against dismissal or other sanctions on grounds relating to their performance of their tasks. The DPO must be able to make the decision to notify the ICO of a major breach, and the protection against disciplinary action or dismissal if the board disagrees with the decision.
The DPO can be either directly employed (‘internal DPO’) or have a service contract (‘external DPO’) with the organisation. He or she can have other tasks within the organisation, so long as there is no conflict of interest with the DPO role. This means that the DPO cannot make decisions as to the purposes for processing personal data. At the same time, DPOs cannot be the Chief Information Security Officer, as DPOs would be forced to investigate their own department – most breaches are caused by a security infringement.
If you are a small(ish) organisation that still needs an experienced DPO, but cost is a problem, then the possibility of an external, shared DPO exists. This solution has advantages and disadvantages.
The advantages are that an external, shared DPO will have no political or organisational baggage, will be able to act in an unbiased manner without fear for their job, will have no concern over favouring certain departments or individuals, may be listened to with more respect than an employed colleague, and, most importantly, will incur lower costs.
The disadvantages are, however, considerable. If a DPO is not part of the organisation, then there is greater difficulty with accessibility to data subjects and all sharing parties, as well as availability to resolve issues raised by both data subjects and ICO. Allocation of time and tasks will need to be carefully considered. Moreover, organisations will still need to employ information practitioners to ‘do the doing’ internally.
Also, a shared, external DPO will have no intimate knowledge of the workings of the individual organisations and how these may vary from each other. Finally, a problem that will need to be considered is what happens if a breach occurs in two organisations simultaneously. To make matters worse, what happens if at that particular time, the shared DPO is on annual leave or ill?
A DPO in a large organisation will very likely face an immense amount of work. One possible way to manage this could be the creation a network of data protection champions – one or two in every department. These individuals will receive additional training and will then be able to conduct a triage of questions and provide advice and assistance with Data Protection Impact Assessments. They will be able to answer easy, business-as-usual questions and only complex questions will require escalation to the DPO.
Finally, effective collaboration throughout an organisation will be crucial for any DPO.
Dr Rena Gertz is data protection officer at Edinburgh University.
Where a DPO is needed
The General Data Protection Regulation (GDPR) was adopted on 27 April 2016 and will become enforceable in Member States on 25 May. One of the changes this new legislation introduces is the requirement for some organisations to appoint a Data Protection Officer (DPO). Article 37 of the GDPR and the Law Enforcement Directive regulate when this is the case – a DPO is needed where:
- The organisation is a public authority, or
- The organisation’s work involves regular and systematic monitoring of individuals on a large scale, or
- The organisation’s work involves processing large volumes of ‘Special Categories of Data’ or information about criminal convictions and offences.