Over the last two decades, it’s arguable that data has overtaken oil and gold as the world’s most valuable commodity. This can be attributed to advances in cloud-based technology, the rise of mobile applications, and the increase in internet speeds and connectivity across the globe. Like oil, the value of data comes from it’s potential to be refined into an essential commodity.
As the value of data rises, so does the need for security, governance, and protection around this potentially lucrative asset. According to a UN report, 107 countries (66 of which were transition or developing economies) have introduced legislation to guarantee the protection of privacy and data.
Since General Data Protection Regulation (GDPR) was enforced across the EU in May 2018, it’s a mandatory requirement for certain companies that process collecting data of EU citizens to have a data protection officer employed as part of their team.
Data Protection officers (DPOs) are responsible for ensuring all data is handled responsibly, and all staff are trained in data processing and GDPR compliance. This guide will explain what a data protection officer is, their role and responsibilities, and the professional qualified that they should hold. We’ll also outline which companies require a data protection officer, and four key factors to help you decide if a DPO is mandatory for your business.
What does a data protection officer do?
A data protection officer is responsible for managing and organising the implementation of a data protection strategy within a business. Their role is essential, as they ensure that an organisation complies with all GDPR requirements. As they create, update, and maintain a data protection strategy, they protect both their company and its customers from privacy breaches, fraud, and security threats.
Data protection officers report directly to senior management and should be granted full independence to perform their tasks. They should be involved in all issues that relate to the protection of personal data. It’s the responsibility of senior management to ensure that their DPO is sufficiently resourced to perform all of their tasks in line with GDPR compliance. Additionally, they should never be penalised for performing their duties.
Following guidelines published in GDPR Article 39, the responsibilities of a data protection officer include:
- Working as a point of contact between an organisation and the relevant supervisory authorities.
- Training employees on all relevant GDPR compliance requirements.
- Conducting regular audits and assessments to guarantee complete GDPR compliance.
- Sustaining records of all company-wide data processing activities.
- Replying to data subjects to educate them on how their personal data is stored, secured, and used by the company.
- Outlining to customers what data protection measures have been implemented.
- Responding to requests to share copies of personal data or erasing data as and when necessary.
As of May 25th 2018, it became a legal requirement for many UK-based organisations to appoint a data protection officer. This is because the GDPR was enforced on this date, replacing the 1995 Data Protection Act.
The GDPR guidelines state that there should not be a conflict of interest between the duties of a person appointed as DPO and their other responsibilities. To eliminate such conflict, it’s recommended that a DPO should not be in control of processing activities. For example, if they are already employed as head of human resources (HR).
We’ll explain more about whether a DPO is mandatory for your organisation later in this piece, but first, we’ll discuss what professional qualities a DPO should have.
What professional qualities should a DPO have?
The role of a data protection officer entails a range of duties and responsibilities. Although the GDPR has not published a detailed list of specific qualifications, their legislation stipulates that their level of experience and knowledge must match the complexity of data processing operations carried out by your business.
Therefore, when you are evaluating candidates or publishing job listings for a DPO position, we recommend keeping the following points in mind.
Potential candidates should have:
- Five years of more experience in working with EU or global privacy laws. This includes working on compliance, creating privacy policies, and in-depth knowledge of technology provisions.
- IT programming or infrastructure experience, including accreditation in information security standards.
- A wealth of experience in performing audits of information systems, risk assessments, and attestation audits.
- Documented leadership skills achieving pre-defined objectives and coordinating with a range of stakeholders, with the ability to manage multiple projects at once.
- Significant experience coordinating with multiple parties and managers while maintaining professional independence.
- In depth knowledge of communication skills with experience in addressing multiple audiences. This includes data subjects, lawyers, IT staff, and managerial teams.
- Demonstrated self-starter with the ability to continuously learn in dynamic environments.
- A career record of embracing emerging technologies and regulations.
- Experience in technical and legal training and education.
- A track record of successful dealings with different business industries and cultures.
It makes sense to start looking for your DPO within your existing IT or legal department. This is because they must have a close knowledge of your organisation’s legal obligations and how you currently process and protect data.
If you currently have a Chief Data Officer appointed within your business, their duties will complement the role of a DPO. Once you’ve evaluated your team, the selected candidate should receive accredited GDPR training or certification.
Recruiting an external DPO requires persistence and perseverance. The International Association of Privacy Professionals estimated that there would be a demand for an additional 28,000 DPOs across Europe back in 2018. As it turned out, over 500,000 DPOs have been registered for private and public-facing organisations across 26 countries located within the European Economic Area (EEA) since 2017.
This need has far surpassed the availability of skilled candidates, making the search for an effective DPO somewhat challenging for many organisations. Larger businesses should look towards some of the leading European technology fairs in their hunt for the ideal candidate. Smaller companies may benefit from investing in managed recruitment services.
Do I need a data protection officer?
Your business must appoint a DPO in a processing or control capacity if your core activities involve large-scale processing of sensitive data or systematic monitoring of individuals. Such monitoring includes any form of profiling or tracking on the internet, even for marketing and advertising.
Note that public administrations are always obligated to appoint a DPO (with the exemption of courts acting in a judicial capacity).
Examples of when appointing a DPO is mandatory for your company/business include:
- A recruitment company that profiles a multitude of individuals.
- A hospital that processes significant amounts of sensitive data.
- Security companies that monitor public spaces or shopping centres.
According to the Article 29 Working Party view, businesses should assume that they require the appointment of a DPO unless they can demonstrate that they don’t. Although this sounds confusing, there are three scenarios published by the regulation for DPO recruitment clarification.
Processors and controllers of personal data should appoint a DPO when:
- Any processing is undertaken by a ‘public authority’.
Although this isn’t clearly defined within GDPR legislation, the Article 29 guidelines state that this is a matter for national law. This is a reflection of a definition published in Section 3 of the Freedom of Information Act, 2000.
- The ‘core activities’ of your organisation require frequent and systematic large-scale monitoring of data subjects.
‘Core activities’ are considered as critical operations required to achieve your organisation’s goals. ‘Large-scale’ could be applied to the amount of customer data processed by insurance companies and banks. Additionally, this can be applied for the processing of personal data for behavioural advertising by companies like Amazon.
- In instances where ‘core activities’ include ‘large-scale’ processing of ‘sensitive’ personal data or data that relates to criminal offences and convictions.
“Special categories cover religious beliefs, political opinions, health-related data, and data-related to ethnicity” This applies to trade unions, polling companies, legal authorities, and healthcare providers that store patient records.
When is a DPO not mandatory?
A data protection officer is not mandatory if:
- There is no personal information processed by your company.
- The amount of personal data processed is significantly small.
- Your companies ‘core activities’ rarely involve the monitoring of data subjects.
- Local community doctors who process the personal information of their patients.
- Smaller law firms processing the personal data of their clients.
In instances when a DPO is not necessary, Article 29 states that businesses should store records of their data breaches and processes.
Companies that process significant amounts of data such as governments, hospitals, and search engines always require a DPO. They are also paramount if any monitoring, handling, or collection of data are crucial for your business activities.
Note that the majority of small businesses are exempt from legally having to appoint a DPO. However, if they deal with sensitive data on a large scale, they will have to hire a DPO following GDPR laws.
Once you’ve determined how important the processing of data is to the functionality of your business, you’ll have a clear picture as to whether or not you require a DPO.
What are the four key factors used to determine if a DPO is required?
The GDPR guidelines stipulate that the size of an organisation does not necessarily impact their need for a DPO. Instead, it’s the scope and size of their data handling that is a determining factor. Unfortunately, GDPR doesn’t offer numerical guidelines as to what is implied by ‘large scale’ data handling. However, there are four leading factors that governing authorities use to calculate if a DPO is required.
These four factors are:
- Data items.
- Data subjects.
- Geographic range of processing.
- Length of data retention.
It’s safe to assume that a DPO will not be required by your business unless your main focus is data storage or collection.
Frequently Asked Questions
Can a DPO be shared amongst several organisations?
Yes, a single DPO can act for several companies or public authorities. However, if your DPO is covering multiple organisations, they must be able to perform all tasks efficiently. Therefore, the structure and size of the said organisations must be considered.
When hiring, you must consider whether or not one DPO can effectively deal with the complex data requirements of several businesses. Additionally, you must provide all the appropriate resources so that they can carry out their role.
Your DPO has to be easily accessible, with all of their contact details readily available to your staff, your data subjects, and to the ICO.
Can you employ more than one DPO?
Legally, you must appoint a single DPO if your organisation is dealing with large amounts of personal data. However, this doesn’t stop you from hiring a team of data protection specialists to support the DPO.
We recommend that you evaluate your requirements and decide whether or not your DPO needs additional help with their workload. If you choose to hire a support team, you must determine individual roles and responsivities in correspondence to the role of the DPO.
Additionally, if you hire a support team, you must not refer to any of the individuals as your DPO. This is a specific role, legally required under GDPR guidelines.
Is the DPO solely responsible for compliance?
No, the DPO isn’t solely liable for data protection compliance. As the manager or controller, it’s your responsibility to comply fully with the GDPR. That said, the DPO has a crucial role in ensuring that your organisation fulfils its data protection obligations to the best of its abilities.
The ideal DPO has excellent management skills and is independent and reliable. They should have no additional commitments that interfere with monitoring their responsibilities and should interact with staff of all levels of seniority.
The right DPO must also ensure internal compliance and alert the relevant authorities around issues of non-compliance. This is the case even if the company could accrue substantial penalties or fines. The role of the DPO is ever-changing in line with technological innovation and data protection laws. Therefore, an ideal candidate must be savvy and willing to continually train and educate themselves to meet current guidelines or changes in the law.