If your business legally requires a Data Protection Officer or DPO, this may be increasingly hard to come by in 2018. There is already a shortage of suitable candidates, who must have expert knowledge of data protection law in addition to a sound, working knowledge of IT given the nature of the role. This combination is not necessarily easy to achieve.
DPO’s are legally required:
- For public authorities; or
- Where a businesses core activities involve the regular, large scale or systemic monitoring of individuals; or
- Where a businesses core activities involve the large scale processing of sensitive personal data.
Although it is not compulsory for most businesses to have a Data Protection Officer, in practice the ICO recommends that large organisations with over 250 employees, engage one. This is only a recommendation – the obligation was removed from an earlier draft of the regulation. However we would recommend that what the ICO wants the ICO gets!
The Data Protection Officer is essentially an independent auditor who evaluates GDPR compliance. He or she cannot force changes within the company; only identify where compliance is or is not being achieved and report this to the Board of Directors. It is the Board who must then go about ensuring compliance and making changes.
As the role requires independence, it cannot be carried out by a person within the organisation who is also responsible for implementing changes and bringing about compliance. Do not think that the head of IT can one day be responsible for working on systems which involve personal data and the next day act as DPO.
No auditor is popular, and it is important your Data Protection Officer has sufficient gravitas and experience to report honestly to the Board. Our consultants are experienced at working in multinational corporations with Board members.
Our Data Protection Officers can be engaged on an ongoing basis part time, or they can work with you temporarily until you have recruited the right person for the job.