GDPR – You’ve identified that you need a Data Protection Officer (DPO). What next?
The ICO has guidance (click here) for organisations that will require a DPO following May 25th 2018, when the GDPR Regulations become law.
But once you’ve identified that you need a DPO to comply with GDPR – what next & who should you appoint? Simply speaking, you can appoint a DPO from within your own team of employees, or you can appoint externally.
Option 1) DPO as an Employee
It is possible that an individual or team responsible for Data Protection may already exist within your organisation – so it’s worth checking that they will be able to adopt the additional responsibilities that come with GDPR compliance.
But if you are planning to appoint an internal DPO, there are some additional aspects of GDPR that need to be considered;
- Conflict of interest. The GDPR states that the DPO must not be conflicted by having a dual role of governing data protection whilst also defining how data is managed. This would preclude your IT Manager, IT Director or Security Manager from holding the DPO role, plus possibly any Manager working in Marketing, Sales, etc. Be aware of potential conflicts.
- An expert in Data Protection. The DPO has to have adequate experience & knowledge, respected by all, whilst remaining separate from the IT & Security functions. They should know your business inside out, including how data is managed internally & by suppliers / clients, be able to establish best practice processes to identify GDPR non-compliance & will be the key person in your organisation in the event of a data breach. Do you have that senior capability in-house?
- An independent & ‘protected’ role. GDPR insists that the DPO must be independent from internal pressures, adequately resourced & only reports to the highest management level. In essence, the DPO cannot be fired for performing their GDPR duties – such as reporting a ‘breach’ or insisting on new robust processes. It is a unique role, acting independently & without recourse within your structure. This may not suit every organisations’ management approach.
Option 2) External DPO
The second option recommended by the ICO, is to appoint an external DPO via a ‘Service Contract’ – which immediately offers a solution to the issues outlined above. An external DPO retains independence, provides market leading expertise to ensure your organisation is protected & avoids creating a new dynamic within your internal management structure.
Most organisations will not require a DPO full-time, perhaps needing a DPO for 2-4 days per month. The external DPO solution provides the relevant amount of high level expertise required – less time / budget consuming than hiring a new DPO & more effective than giving an employee the added responsibilities outside of their knowledge, which could have consequences for the business.
At Assured Information Security, we can deliver a ‘Virtual DPO’ service for your organisation.
We have a highly experienced approach to Data Protection, IT Security & Governance & existing lines of contact within the ICO. In addition, our consultants are qualified GDPR Practitioners with SC & NPPV3 security clearance for your peace of mind.
If you’d like some advice on nominating your DPO, or would like to hear about Assured Information Security’s ‘Virtual DPO Service’ – please click here to get in touch.