Who is allowed to be the DPO for your organisation?
The role of Data Protection Officer is primarily to support, advise and guide you in how to comply with data protection and privacy regulations, including the GDPR and the new Data Protection Act.
You have four options regarding the DPO appointment:
- Do nothing
- Use an internal member of staff
- Hire a new member of staff
- Outsource to a service provider
This article discusses the four options.
1. Do nothing
As an organisational leader you are always balancing priorities and managing risks. So, the option exists of course to ignore this aspect of the regulation and do nothing. However this is likely to be unsuitable for several reasons.
The most immediate reason is that a DPO is a professional there to provide practical, expert advice on how to process personal data within the law. If you do not have this advice then your policies, day-to-day operations and technology will likely be non-compliant. This quickly leads to the next problem.
Things will go wrong. And when they do, you’ll most likely start receiving complaints and claims from customers or employees, possibly seeking financial compensation for distress or harm caused in how their personal data was misused. This can be hugely stressful situation, with potential monetary consequences. And, it’s avoidable.
If the data subject complains to you then next they’ll likely use their right to lodge a complaint with the regulator. If the regulator then discovers that you have infringed the GDPR rules by not have a DPO then they have the power to impose a fine of up to €10 million or 2% of annual global turnover (whichever is the greater).
In summary, this option is only for organisations that pose NO risk to privacy or who think that their brand reputation has no value. As that’s highly unlikely to be the case, then don’t consider this option!
2. Using an internal member of staff
You may be thinking that assigning the DPO responsibility to one of your senior staff will solve the issue. Far from it. That’s because the GDPR is clear on how the DPO role must be performed, which makes it highly unlikely that an existing staff member could meet the criteria. In summary the appointment of the DPO has to ensure:
- Expertise – the regulators expect that a Data Protection Officer has certain professional qualities and knowledge of data protection laws.
- No conflict of interests– the DPO cannot have any conflict of interest between protecting the interests of data subjects and their role in meeting organisational goals
- Independence– the DPO is required to have a large degree of independence – so, not influenced in how the role is executed.
Now we’ll briefly examine what these criteria mean.
Expertise
The DPO must have a detailed understanding of data protection laws – and the GDPR is not the only relevant law! Furthermore you’ll need a DPO who can operate from senior management down, across all your functions and departments.
Just some of the areas covered by a professional DPO include advice and guidance on data protection obligations, the lawful basis for processing data, operational matters concerning people and processes, data sharing agreements between entities, technical data security measures, online and offline marketing, guiding data breaches, managing complaints and claims, monitoring compliance, board-level reporting, auditing, liaising with data subjects and cooperation with the regulator.
As you can see, it’s quite a list requiring expertise across many areas.
No conflicts of interest
The GDPR has been put into effect to protect the rights and freedoms of data subjects, including your customer and staff. As such the DPO has to represent their interests and build that into everything that the organisation does with their data.
A more fitting title for the role is Data Subjects Protection Officer.
So, it’s simply not feasible for a member of staff, who is employed to achieve the organisational interests, to simultaneously strive to achieve data subjects’ interests. The purposes are incompatible and produce a conflict of interest. We come across organisations that want to use an external lawyer. We’ve written an article about not using a lawyer as a DPO.
Independence
Because the DPO is there to protect the rights and freedoms of data subjects, there cannot be any influence on how the duties are performed or in the advice or guidance given.
It’s simply unrealistic to expect a member of staff going head-to-head with the boss over a GDPR compliance and not being influenced by the power imbalance.
In summary, it’s the best option for companies who already employ a data protection professional in a risk and compliance function. Otherwise, don’t consider it.
3. Hire a new member of staff
Having ruled out an internal member of staff you may consider the option of a new member of staff.
As mentioned before, there are a number of competencies required to conduct the role in an expert manner, so you’ll have to hire a senior member of staff. You’ll need their seniority to have appropriate influencing skills where it matters.
It’s estimated that over 70,000 new Data Protection Officers will be required worldwide to cope with the GDPR, however, when examining just how many scenarios and sectors require are mandated to have a DPO, this forecast looks very low. Our infographic highlights some of the key data around salaried DPOs.
This means that the total cost of an employee DPO (including salary, benefits and overheads) is unrealistic for 99% of UK small businesses, charities and schools.
In summary, this is an option suited to complex, corporate entities needing a full-time DPO.
4. Using an outsourced DPO service provider
If you’re running a small business, a medium-sized business, a charities or schools, then you may not need a full-time DPO. In this scenario an external service provider is the way to go.
You can get the advice and guidance from an independent, data protection expert, without all the overheads that come with a salaried member of staff.
Also, having a professional Data Protection Officer on your side gives you the peace of mind of knowing that your GDPR compliance will be set up correctly and have the necessary ongoing oversight. Should the worst happen then your DPO will also be there to support you with any data breaches, complaints and claims – as well as managing communications with the relevant data protection authorities.
In summary, this option is suited to charities, health providers and small/medium-sized businesses, balancing data protection risks alongside budget constraints.
How can we help you?
Get in touch and find out how we can help you achieve your goals