- August 22, 2017
- Data Protection Officer
Let’s clear one thing up straight away – when we talk about a Data Protection Officer, or DPO, it is the role that is important, so you may not need a full-time employee; rather as you might use a payroll service, as and when needed might be all you require. Also, to be really picky, you may not be required to register them as such with the Information Commissioners Office (ICO) as it depends on what sort of business you are. But all organisations that have anything to do with personal data need the technical competence and would therefore benefit from having a DPO for the following reasons:
- They will help to guide your business through a complex new approach to privacy regulation, involving disciplines ranging from human resources, legal, corporate structure and business planning, through to website content and structure, database design, IT infrastructure and cybersecurity. In order to be able to protect your interests in the event of a breach, they must also operate without any conflict of interest within your organisation, making them in one sense a ‘regulator’ working on behalf of the interests of data subjects, more so than the interests of your organisation.
- Thus you may regard the second reason as being an “insurance” policy, which in turn will be effective in two ways – starting with the almost certain requirement that any actual insurance cover you take out is very likely to require that you demonstrate your compliance with the GDPR. However, secondly, the most effective investment you can make is in something that ensures that you do not have to make a claim in the first place.
- Starting with basic awareness and an impact assessment of the data within your organisation, the DPO will deliver the third benefit, being the structured presentation of your privacy procedures to your customers, employees and stakeholders. This will likely include areas such as your terms and conditions, your website forms and policies, your contracts with third parties (called Data Processors) and staff. Hopefully you’re starting to see there’s a lot that needs addressing.
- Key to much of the required compliance is the training of staff and the subsequent rolling audit of further needs and identification of requirements. This calls for a sensitive approach by somebody who is seen to be a team member, because ‘old dogs’ generally do not enjoy being taught ‘new tricks’, yet much has to change. Having a specialist within your organisation who is responsible for ensuring data protection discipline will be an essential fourth benefit.
- The fifth task for your DPO is to ensure that you have a plan in place to enable you to respond professionally should you be in the (let’s be honest here) increasingly likely situation of suffering a breach. The GDPR requires that you must have thought about it before it happens, since you have only 72 hours to report the breach to the ICO and issue advice to the public, your customers and the press; including web and social media management.
- The GDPR weights privacy obligations heavily in favour of the consumer, unlike the Data Protection Act, and one of the most time consuming functions could be responding to “Subject Access Requests” (SARs). These must be professionally and politely handled (within 30 days) in order to minimise disruption to your daily business – and cost effectively given that under the GDPR you can no longer charge for your response. Your DPO will know how and when to respond, putting a plan in place as their sixth duty.
- The DPO Centre is dedicated to regarding the regulations as a positive opportunity for the organisations we work with, so a major part of our duties are to report to senior management and your board on data protection issues and activities, and articulate any data protection risks associated with your activities. Our intent is to work with your organisation as pathfinder, not a roadblock to innovation or growth. We do not wish to focus on the negativity of fines, but the positive manner in which you are protecting the interests of your customers.
- Last, but certainly not least, is the implementation of technical resources that will add significantly to your corporate protection in a world of cyber criminality. The very same processes that will keep your data private, will also protect you from other forms of exploitation, and whilst your IT staff may have done that to some degree, they will not have started from the basis of privacy within a corporate structure, which is what the GDPR is all about.
Your Data Protection Officer, whether you are obliged under the regulation to have one or not, is a critical and valuable new role within the modern professional organisation.