After publishing my first blog around GDPR several months ago, it has been really positive to see the way organisations are reacting to the forthcoming regulation. Now it is important to note that not everyone has started their journey, but it is encouraging to see how some organisations are taking onboard the advice from the ICO and the wider press putting things into place. One area that is still of concern though is that of the Data Protection Officer (DPO).
The DPO or Data Protection Officer is a requirement under GDPR if you meet the following criteria;
You can appoint a DPO for a number of authorities or group of companies as long as the size and scale permits. You can also appoint a DPO if you do not have an obligation to as well, this is definately best practice when preparing for the act that comes into fruition on 25th May next year.
Well again, the ICO has made it very clear as to what tasks a DPO must undertake and their position within an organisational hierachy. The DPO as a minumum under Article 39 must;
The ICO is also very clear on the employer duties stating that;
So with all this in mind, it has been a surprise to me that some organisations I have met with to discuss GDPR and met with at events are assigning the role of DPO to a low level employee within ICT who has the bandwidth to attend a course on the basics of GDPR. This trend has definitely been seen more within the Public Sector rather than commercial organisations as it is a mandatory requirement for those bodies.
The other trend that has definitely been developing is that GDPR is an IT issue, organisations are expecting the answers to compliance to come solely from IT and again, this is not correct. Whilst IT has a large role to play in enabling compliance, there are a considerable number of other processes outside of IT that need to be in place to adhere to the new legislation. It's unlikely that an IT solution is ever going to be the answer to all GDPR challenges.
If I look at my own organisation, we have appointed our DPO based on both his skillset and position within the company. He is already on the Board and is working hand in hand with our CEO to ensure we meet our obligations. He also has a background in compliance and has already attended the GDPR course to ensure his knowledge is aligned with the new regulation. The decision was not made on who has the most bandwidth, but who is the right person to drive the initiative within our company.
If you have not yet appointed your DPO, please consider the following: