When it comes to mind-boggling stats, the amount of digital data that’s created is staggering: 90% of all data today was produced in the last two years – that’s 2.5 quintillion bytes of data per day based on the current pace. To put this into perspective, that includes over 3.5 billion Google searches, 306.4 billion emails and 500 million Tweets in just 24hours. The ubiquity of mobile technology like smartphones and tablets, along with innovations in mobile networks and WiFi, have perpetuated this exponential growth in data creation and consumption – conveniences that have enabled businesses to harness this data explosion.
But it’s not just the volume of digital data being created that’s a major consideration for business leaders; it’s the type of data. Businesses process huge amounts of sensitive personal information – such as customer bank account details – daily, and have an increasing duty to protect it. Failure to do so might result in legal action, financial penalties and reputational damage. Enter: the Data Protection Officer (DPO).
What is a DPO?
Essentially, a DPO is responsible for overseeing a business’s data protection strategy and its implementation to ensure compliance with General Data Protection Regulation (GDPR) requirements (more about GDPR shortly). According to the Information Commissioner’s Office (ICO): “DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the ICO.”
Does your business need to appoint a DPO?
To answer this question, you must begin by determining if the EU Regulatory law GDPR on data protection and privacy applies to your business. If it falls into one of these two categories, the answer is yes:
- Based in the EU and processes personal information of EU citizens and residents.
- Not based in the EU but offers products or services to EU residents or monitors the behaviour of EU residents.
Once you have determined that your business must adhere to GDPR, you will be required to appoint a DPO if your organisation meets one of three criteria, regardless of the size:
- Public authority – personal data is processed by a public body or public authority.
- Large scale, regular monitoring – personal data processing is the core activity of your organisation, which regularly and systematically observes the “data subjects” (citizens or residents of the EU under GDPR) on a large scale.
- Large-scale special data categories – the core activity of the business consists of large-scale data processing of “special” data categories (as defined by the GDPR) or data relating to criminal convictions and offences.
What does a DPO do?
Reporting directly to “the highest management level”, the DPO has six major tasks under GDPR:
- Informing the organisation and its employees of their data protection obligations under GDPR and any other applicable EU member state data protection provisions.
- Receive comments and questions from data subjects about how their personal data is processed under GDPR.
- Monitor the organisation’s compliance with GDPR, internal data protection policies and procedures and any other applicable EU member state data protection provisions. This includes the assignment of responsibilities, compliance training and performing audits.
- Advise on and perform DPIAs where necessary.
- Be the point of contact for the relevant supervisory authority (typically the ICO) on all data protection issues, including data breach reporting.
- Be the point of contact for data subjects on privacy matters, including Data Subject Access Requests (DSAR).
Who can be a DPO?
The GDPR does not include a specific list of DPO credentials, but there are several requirements that should be considered when appointing one:
- Article 37 of the GDPR requires a DPO to have “expert knowledge of data protection law and practices.”
- The GDPR specifies that the DPO’s expertise should align with the organisation’s data processing operations and take into consideration the level of protection the personal data requires.
- It would be an advantage for the DPO to have a good knowledge of the organisation’s industry or sector.
- The DPO can be an existing employee, provided their professional duties are compatible with the duties of a DPO.
- The DPO must not have a conflict of interest, meaning they must not have any current duties or responsibilities that conflict with their monitoring responsibilities.
Does my business have to publish information about the DPO?
Under the GDPR, organisations that appoint a DPO are required to publish their contact details and provide them to the ICO; however, you are not required to include the name of the DPO when publishing their contact details, but you can if you think it’s necessary or helpful. This enables data subjects, employees and the ICO to contact the DPO as required.
You are also required to provide the DPO’s contact details when consulting the ICO about a DPIA under Article 36 of the GDPR; and when providing privacy information to individuals under Articles 13 and 14.
Is the DPO responsible for compliance?
No. As the data controller or processor, it remains the organisation’s responsibility to comply with the GDPR. However, the DPO plays a crucial role in helping you fulfil your organisation’s data protection obligations.
Can you outsource a DPO?
Yes – GDPR guidelines allow organisations to outsource the DPO role to an external provider. This is a vital service for organisations, particularly smaller ones, that are obligated to appoint a DPO but don’t have the resources or expertise to appoint from within. The process of training an existing employee to fill the DPO role is often time-consuming and costly given the breadth of knowledge required around data processing and data security operations.
Outsourcing your DPO responsibilities provides access to expert advice and guidance that helps you adhere to the GDPR’s compliance requirements, allowing you to focus on running your business. If you are considering outsourcing the DPO role, the benefits include:
- A cost-effective solution to achieve GDPR compliance.
- Access to independent DPO knowledge and experience
- Elimination of conflicted interests.
- Delivery of best practice in achieving and maintaining GDPR compliance.
- Access to GDPR training and compliance solutions.
The proliferation of digital data in recent times can be a double-edged sword for businesses: on one hand it facilitates growth and informed decision making; while on the other it exposes them to a multitude of data processing demands – and failure to comply can have severe implications. The recent modernisation of EU data protection and privacy laws, AKA GDPR, is largely responsible for this enhanced duty of care. Rather than leaving organisations rudderless when it comes to meeting their compliance demands, the GDPR requires organisations under certain conditions to appoint a DPO, and it’s up to you as a business to get this appointment right.
Data is your most valuable asset, don’t open yours up to being breached, or put your business at risk by not meeting GDPR requirements.