What Should You Consider When Appointing a Data Protection Officer?

By Mark Benson, Esteem's Director of Marketing & Alliances

After publishing my first blog around GDPR several months ago, it has been really positive to see the way organisations are reacting to the forthcoming regulation. Now it is important to note that not everyone has started their journey, but it is encouraging to see how some organisations are taking onboard the advice from the ICO and the wider press putting things into place. One area that is still of concern though is that of the Data Protection Officer (DPO).

The DPO or Data Protection Officer is a requirement under GDPR if you meet the following criteria;

  • Your organisation is a public authority (except for courts acting in a judicial capacity);
  • Your organisation carries out large systematic monitoring of individuals (for example, online behaviour tracking); or
  • Your organisation carries out large scale processing of special categories of data or data relating to criminal convictions and offences.

You can appoint a DPO for a number of authorities or group of companies as long as the size and scale permits.  You can also appoint a DPO if you do not have an obligation to as well, this is definately best practice when preparing for the act that comes into fruition on 25th May next year.

So what does a DPO do within an organisation?

Well again, the ICO has made it very clear as to what tasks a DPO must undertake and their position within an organisational hierachy.  The DPO as a minumum under Article 39 must;

  • Inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws;
  • Monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits;
  • Be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

The ICO is also very clear on the employer duties stating that;

  • The DPO reports to the highest management level of your organisation i.e. Board Level;
  • The DPO operates independently and is not dismissed or penalised for performing their task;
  • Adequate resources are provided to enable DPOs to meet their GDPR obligations.

What trends are we seeing? 

So with all this in mind, it has been a surprise to me that some organisations I have met with to discuss GDPR and met with at events are assigning the role of DPO to a low level employee within ICT who has the bandwidth to attend a course on the basics of GDPR.  This trend has definitely been seen more within the Public Sector rather than commercial organisations as it is a mandatory requirement for those bodies. 

The other trend that has definitely been developing is that GDPR is an IT issue, organisations are expecting the answers to compliance to come solely from IT and again, this is not correct.  Whilst IT has a large role to play in enabling compliance, there are a considerable number of other processes outside of IT that need to be in place to adhere to the new legislation.  It's unlikely that an IT solution is ever going to be the answer to all GDPR challenges. 

If I look at my own organisation, we have appointed our DPO based on both his skillset and position within the company.  He is already on the Board and is working hand in hand with our CEO to ensure we meet our obligations.  He also has a background in compliance and has already attended the GDPR course to ensure his knowledge is aligned with the new regulation.  The decision was not made on who has the most bandwidth, but who is the right person to drive the initiative within our company.  

What should you consider when appointing a DPO? 

If you have not yet appointed your DPO, please consider the following:

  1. Who has the right skills and knowledge around compliance within your organisation? If you have a Compliance Officer then this is a good place to start!
  2. Who has the ability to liaise with the Board on compliance requirements within your organisation? The person needs to be a strong individual as some situations a DPO will come across will be challenging, especially if investment is required to ensure compliance and it has not been budgeted for.  The individual may also have to deal with the ICO so they need the right skills to be able to manage that relationship.
  3. Who has the customer service skills to deal with customers when requests come into your organisation? Having strong people skills is essential for the role.
  4. Bandwidth.  Whilst this has been a major factor in the appointment of some DPOs, it should not be the only reason for appointing an individual. However, the time it takes to attend training, deliver training internally, go through the compliance journey and service requests will require bandwidth. 


GDPR Gap Analysis

Get in touch

Get in touch with us by completing the form below and we'll get back to you shortly. Alternatively, you can e-mail us on contact@esteem.co.uk or call us on 01937 861 000.