What is a data protection officer?
Find out what the data protection officer role involves and who you need to hire
The General Data Protection Regulations (GDPR) is probably something you've heard a lot about, whether you collect, store and use customer data, or you don't. It's the biggest change to data regulations in the past 20 years and, as a result, there's a lot of buzz about it.
Although many companies weren't quite prepared for the GDPR deadline in May 2018, there's now been a decent amount of time for businesses to start making changes to the way they handle data and ensure that they adhere to their new obligations.
The UK's Information Commissioner's Office has taken a considered approach to enforcing the laws so far, and that's quite normal when a significant law change is actioned. However, as the months and years roll on this year, the ICO is likely to clamp down on businesses failing to comply, so it's vital you ensure you're covered.
There's a slight variation depending on the size of your organisation. One that processes a lot of data such as a marketing or research firm, or is considered a "large" business must recruit a data protection officer (DPO) to overlook the data collection, storage and processing to make sure it's in line with the GDPR. Their role is to make sure any information relating to customers, partners, employees or anyone else is collected and stored with the subject's best interests at heart.
Although the UK will soon be exiting the EU, the area in which the GDPR regulations apply, that doesn't mean the obligation for businesses to comply with EU law will change.
In fact, if your business wants to keep on communication with European citizens, there must be solid evidence that the company is still sitting within the scope of the GDPR. It doesn't matter if your organisation's head office is in the UK, Asia, Europe or the US, if you want to communicate with those in the Eurozone, you must follow the guidelines.
Another reason to comply is that the UK will revamp its existing Data Protection Act in the near future to follow the exact same premise as the GDPR, including the exact same guidelines. So ducking out of GDPR obligations will also mean breaking local laws if you don't comply.
You can read more about what the new regulations mean in our in-depth GDPR lowdown, including how to prepare for them, as well as the latest news about the legislation but for now, here's an explanation of what a DPO is and how they can help your business stay on the safe side of the law.
Data protection officer job description
The DPO is responsible for the business' compliance posture in relation to GDPR. They are tasked with monitoring all data processing activities on an ongoing basis, and ensuring any necessary changes are made to bring operations in line with the regulations. This can include advising on changes to the organisation's data collection practises, as well as overseeing the creation of privacy policies and other documentation.
Within the corporate structure, DPOs generally report directly to the highest management level within the company, which usually means the CEO or the board of directors. If they have other responsibilities in addition to their role as DPO, these should not create any conflicts of interest.
The DPO acts as the company's primary point of contact with the ICO on any matters relating to data protection or data privacy, liaising directly with the regulator on any investigations. If a data breach occurs within a company, and that breach is likely to adversely affect the data subject's rights and freedoms, the DPO is responsible for alerting the ICO within the GDPR-mandated 72-hour time period.
They also act as the primary liaison for any employees who may have questions about the company's data processing policies, as well as customers or members of the public. They are responsible for acting on any subject access requests (SARs) or rectification or deletion requests that the business may receive.
Training and awareness is another element of the role, and DPOs should conduct regular training sessions and audits to ensure that staff are fully cognizant of the organisation's guidelines and legal responsibilities around the handling of data.
Do you need a data protection officer?
If you're wondering whether you need to make the extra investment in a data protection officer, the answer is (unfortunately for you), probably yes.
The GDPR regulations stipulate that all organisations need to appoint a DPO if their core activities cover data processing of any type, particularly those that include "regular and systematic monitoring of data subjects on a large scale."
Additionally, any organisations that collect and process information, specifically concerned with ethnicities, religious beliefs, trade union memberships, genetic data, biometrics, sexual orientation and criminal offences and convictions must appoint one too.
But, if you work in a public sector organisation, you may find that you are able to share a DPO with other bodies rather than having to appoint your own, which may lighten the load somewhat.
Data protection officer qualifications
Your data protection officer can be appointed from within the company, or they can be a fresh hire from outside your company.
Of course, he or she does need to be qualified to hold the position. The legislation gives organisations a fairly free hand in deeming what qualifications are requisite for the role, however, simply stating that:
"The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39."
So the DPO should be well-versed in data protection law and how to comply with these rules, which is one reason former lawyers and barristers are proving popular hires with businesses that have already brought one onboard. They can also hold other responsibilities within the organisation, which may be particularly handy for those businesses that wish to recruit for the position internally, as long as these don't create a conflict of interest with their DPO duties.
Four cyber security essentials that your board of directors wants to know
The insights to help you deliver what they needDownload now
Data: A resource much too valuable to leave unprotected
Protect your data to protect your companyDownload now
Improving cyber security for remote working
13 recommendations for security from any locationDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now