If your business legally requires a Data Protection Officer or DPO, this may be increasingly hard to come by in 2018. There is already a shortage of suitable candidates, who must have expert knowledge of data protection law in addition to a sound, working knowledge of IT given the nature of the role. This combination is not necessarily easy to achieve.
DPO’s are legally required:
- For public authorities; or
- Where a businesses core activities involve the regular, large scale or systemic monitoring of individuals; or
- Where a businesses core activities involve the large scale processing of sensitive personal data.
Although it is not compulsory for most businesses to have a DPO, in practice the ICO recommends that large organisations engage one. This is only a recommendation however. It is also worth noting that the definition of what is a ‘large company’ is often disputed, although we would suggest that companies with over 250 employees seriously consider whether the engagement of a DPO would be worthwhile.
Sadly there is often great confusion over the role of the DPO and who can be empoyed to carry out this function. The DPO is essentially an independent auditor who evaluates GDPR compliance. He or she cannot force changes within the company; only identify where compliance is or is not being achieved and report this to the Board of Directors. It is the Board who must then go about ensuring compliance and making changes. In addition, the DPO cannot be sacked for carrying out his/her responsibilities.
As the role requires independence, it cannot be carried out by a person within the organisation who is also responsible for implementing changes and bringing about compliance. Do not think that the head of IT can one day be responsible for working on systems which involve personal data and the next day act as DPO and audit their very own work. This is a clear conflict of interest and is not permitted under GDPR.
No auditor is popular, and if you do require a DPO then it is important that he/she has sufficient gravitas and experience to audit your GDR compliance correctly, and is able to report honestly to the Board. Our consultants are experienced at working in multinational corporations with Board members at the highest level. We pride ourselves on our technical ability, integrity and common sense approach.
Our Data Protection Officers can be engaged on an ongoing basis part time, or they can work with you full time on a temporary basis until you have recruited the right person for the job.