The Importance Of A Data Protection Officer
There's no doubt that your company's data is your most valuable asset. And the worst thing you can ever do is to fail to protect it from unauthorized access, theft, and corruption. You risk losing your business data, finance, Assets, and reputation. So, how do you make your company's data on staff and customers compliant? Are you obliged to appoint a person for that role?
It is important to note that GDPR doesn't make it mandatory for all businesses to appoint a DPO. Yet, there is a simple test you can run to assess whether you need it.
Test 1: Are you a public authority or body? This covers businesses that carry out tasks in the public interest and these the public sector owns. Excluding courts acting in their judicial capacity.
Test 2: Do your core activities require regular and systematic monitoring of individuals on a large scale? This includes regular and systematic monitoring of the data subjects on a large scale. For example, your business, the processor or a controller, monitors a subject's online and offline activities, tracking, and profiling.
Test 3: Do your core activities include processing sensitive data on a large scale? For example, your business processes sensitive data relating to the subjects, e.g., criminal convictions.
If you answered "Yes" to any of the above, then, sure enough, you need a Data Protection Officer on staff. You can also choose to appoint a DPO voluntarily.
Whatever the driver is, don't forget to assign them the duties, resources, and independence they deserve.
So what do these officers do? Like many others, we understand that your business may not have the expertise. This is why we are here to help you know who a DPO is, its importance, roles, and most importantly, how to get one. Keep reading!
Who Is A Data Protection Officer
The data protection officer's role emerged with the implementation of the GDPR Regulation. First, the officer conducts regular security audits to ensure companies adhere to the regulations. They, thus, check internal compliance-improving your accountability. After that, DPOs advise you on your data protection impact assessment and monitor its compliance. Besides that, they link the data subjects and the Information commissioner's office. To sum up, they help you minimize the risk associated with data protection.
The introduction of this regulation has led to unprecedented demand for qualified DPO. That, in turn, led to an unsurprising shortage of professionals. What's more, most companies aren't sure about the hiring process.
Have you been speculating on promoting an existing employee to that position? Does picking someone from the legal department also cross your mind? Suppose you hire externally; what do you look for? Take it easy, as we have made your search easier by answering these questions below.
Who appoints DPO?
The GDPR allows companies to appoint a DPO internally (from its staff) or hire one externally. Either way, the appointment must be based on professional experience. In particular, the person must be an expert in data protection, law, and practice.
Does the regulation allow companies to appoint a single officer for several organizations?
Definitely yes. The regulation allows you to designate one officer for your various companies. The only condition is that the officer should be accessible to all those companies.
We don't dispute your decision on appointing one of your staff members for the DPO role. After all, it would be best if you had someone you could trust. All the same, selecting them also involves training them if they aren't experts. You will thus need resources to take them through the training process. There's also the conflict of interest and interference with their independence. We also don't know if their colleagues will accept and respect their new roles. Luckily, you still have the option of outsourcing to an external DPO.
Outsourced DPOs are experts. i.e., a complete package that doesn't need training or guidance. They may also develop good work relationships with their colleagues without struggling. Besides, they don't need to be full-time employees and hiring them means less conflict of interest. The downside is that they may be relatively expensive and unfamiliar with your industry. Unfortunately, they may not always be there to solve issues promptly as you desire. In short, pick wisely; the law requires you to communicate the details of their appointments to the relevant DPA.
What Qualities Should You Look For When Selecting A Data Protection Officer?
Getting a DPO is not always an issue but rather a qualified one. Do you know the skills and characteristics to look for in a DPO? What makes one the best out of the rest? Well, that should be the least of your worries. We are here to help you narrow down your options using the following tick boxes. The officer you hire:
- Must have expertise in data protection, law, and practice as stipulated in article 39.
- Have a good comprehension of the company industry and data protection needs.
- They should also know how the company processes its specific core activities.
- They should have good communication skills to simplify complex regulatory requirements. This should also go hand in hand with behavioural skills to help them handle the bad human practices.
- Can handle sensitive data and potential issues from this data.
- The officer should have proper project management and disaster recovery skills.
- Lastly, they should be confident and have IT security experience. The extra skill helps the DPO complement the chief information officer.
The Position Of The Data Protection Officer - What It Takes
The discussion on Data protection officers doesn't revolve around the persons. It's more of what they do - their roles. As a result, you will agree that you may not need a full-time employee, especially when outsourced. Whichever the case, the regulations are clear on the officer's position. Be sure to understand what it takes before settling on one. Some of the rules that come with this position that might interest you are:
- GDPR requires that every company has a DPO who works independently. That's to say, they should work without instructions on their duties. The DPO reports to the highest management only. For this reason, they must not be penalized for performing their tasks.
- The subjects can also contact the DPO about issues related to the processing of their data.
- The officer is bound by secrecy and confidentiality in their duties.
- Companies must support the DPOs functions. They must allow access to their resources, personal data, and processing operation.
- They should not perform other duties that create conflicts of interest.
- They should not be a short or fixed contract. The officer's appointment should have a minimum term with spelt-out dismissal conditions.
- The controller must warrant that the officer is involved correctly and timely, especially on issues related to data protection.
What Does A Data Protection Officer Do?
According to GDPR, individual organizations are solely responsible for data protection compliance. However, businesses remain accountable and must guarantee compliance with data protection laws. The beauty of it is that you can still contract a processor to carry out core activities on your behalf. Although in case of an unfilled obligation, as agreed between the controller and processor, the latter takes the blame. Even so, you shoulder the enormous burden as the Company/controller.
The Data Protection Officer only oversees to establish you have complied. Other roles played by the officer include:
- To train subjects and the controller on their data protection, rights, and responsibilities.
- They track the company's policies and compliance with personal data protection regulations.
- They work with the commissioner in interpreting and applying the data protection rules.
- DPOs track the organization's compliance with data protection with the set regulations.
- These officers also advise you on data protection impact assessment and performance.
- They handle complaints from individuals and bodies like the European Data Protection Supervisor (EDPS). The EDPS is an independent institution tasked with ensuring that all European institutions respect the right to privacy and data protection.
- Finally, they account for the risk associated with the processing operations. Then give the relevant authorities advice and analysis.
Can Your Company's Legal Expert Occupy The Data Protection Officer's Position?
GDRP's Article 37 states that DPO appointment depends on their professional qualification. It also emphasizes that they should be experts on data protection, laws, and practices. Now that the regulation seems more inclined to legal issues, can the company lawyer take up the role? What about the IT staff and Chief security officer? Are they eligible?
We don't dispute that the lawyer helps the company manage its legal risk. Neither do we downplay the role of the IT and chief security officer. But the only thing we aren't sure of is their ability to balance between the two positions.
We would expect the DPO to be the company's legal expert in an ideal situation. Someone with knowledge and experience in data protection, privacy, cyber-security, and GDPR. If not, at least the individual should have expertise in IT security. Is this the case in a typical situation?
In a way, yes. The regulations allow the person appointed as the DPO to have more than one duty. However, the other functions shouldn't give room for conflicts of interest. In our case, the best option is the lawyer -one who has specialized in data privacy and technology. They understand the ins and out of the law, data protection, and IT security.
The only barrier to their performance is the conflict of interest. The dispute arises from the nature of their preexisting positions; legal experts. The only way to solve this problem is to avoid assigning them two conflicting roles. Some of the roles you should consider not giving to the DPO include:
- The senior managerial position - involves decision-making on personal data processing. It also predisposes them to economic interest and the desire for control.
- The chief legal counsel - influences the risk acceptance and use of personal data.
- The Head of legal - balances the organization's interest against the applicable law.
- Head of the department - makes decisions on the use of data in achieving the company's objectives.
- IT and marketing manager - decides on the areas to explore for marketing issues.
Not asserting enough independence of the DPO can result in a hefty fine.
All we are saying is that let them stick to being DPOs. And if they have to help, it shouldn't inhibit their independence or create conflicts. Allow them to play the complementary function to other departments only.
Other responsibilities that the DPO is not obliged to include:
- To account for the company's data breaches.
- Organizing information security.
- Organizing Data protection.
- Installing the security /data protection or privacy by design
- Risk management and assessment.
How Can You Make The Position Of A DPO Effective In Your Company?
Having an effective DPO also involves having structures in place to support them. Some of the good practices you can adopt to help them are:
- You can draw internal rules, including safeguards to avoid conflicts of interest.
- Separating the positions that might interfere with the DPO function and independence.
- Raise awareness among your staff and make it known that the officer has no conflicts of interest.
- Divide the budget for hiring their legal advice if they need an alternative opinion.
- Finally, be clear and detailed when advertising and appointing to avoid conflicting interests.
Do I Need A DPO? Does My Vendor Need One?
Are you still wondering why you must hire the services of a DPO? The two main conditions that make them a must-have are:
- Your business operates in the EU and processes personal data on EU citizens and residents.
- If your company is outside the EU but offers products and services or monitors citizens' behaviours.
Other reasons why you need them are:
- The officers ensure that you are continuously improving your data protection.
- A DPO complements the Company's Chief information security role. The two employees work together to improve data protection and compliance.
- Appointing a DPO helps you align with GDPR. This assures your customers that you are serious about data privacy.
- The GDPR requires you to have an already made plan to handle a breach before it occurs. This is where the services of a DPO come in handy. They plan and help you manage the crisis before it happens.
- They are always available to politely and professionally respond to Subject Access Requests. You don't have to leave your managerial role to attend to these requests. You are hence assured of a disruption-free environment and cost-effectiveness as well.
- DPOs train and guide you and your staff through the complex data privacy regulation.
- Lastly, they help you protect your business from cyber-attacks and exploitation.
Does Your Software/ Service Vendor Need To Have A DPO
Failure to appoint a DPO predisposes your business to an administrative fine. You can't afford to hire a service vendor without an appointed DPO. The processor cannot engage a sub-processor without the controller's written authorization, for starters. The authorization can either be:
- Specific - The controller processor allows the processor explicitly to contract their chosen sub-processor.
- General - The controller decides to approve the processor's preferred sub-processors list.
The processor only signs a contract with the sub-processor after receiving the authorization. This agreement contains the same obligation signed between the processor and the controller. In the event of a law violation by the sub-processor, the processor becomes liable to the controller. The question that begs an answer is, does your service vendor have a DPO? If they do, are they qualified?
There are too many dangers of contracting a service vendor without an appointed DPO. First up, the controller bears more responsibility and liability for personal data protection. But, the service vendor is only liable to the processor for not meeting the contract terms. Any mistake that a sub-processor commit affects the controller directly. The processor becomes the victim only when the controller demands compensation.
Do you now realize how important it is to select a compliant processor? The same applies to your service vendor. Choosing a service vendor with an appointed DPO gives you peace. You relax knowing this is an expert who understands that:
- There's a binding contract that outlines the subject matter and the duration of the processing.
- The nature and purpose of the processing.
- Types of personal data and obligations to the controller.
The only person who can comprehend this is a professional DPO. So, before you take that step, think of investigating first.
We respect your decision to use the services of a vendor you trust. But at what expense? Hiring the services of a vendor who doesn't have an appointed DPO is detrimental. Consider the gap in the DPO position as a red flag and proceed with due diligence.
TL;DR: Take your time and scrutinize the vendor. Then, hire them only after finding them satisfactory. Better a little caution than a great regret.