When selecting a DPO, it’s essential to feel confident that there will be a synergy between you allowing a constructive working relationship to evolve, where they can independently inform and support you in a way which is appreciative of your aims as an organisation and in a manner which enables and empowers you to develop your potential.
What is the role of an effective Data Protection Officer (DPO)?
To quote the ICO, under the UK GDPR you must appoint a DPO if:
· you are a public authority or body (except for courts acting in their judicial capacity);
· your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
· your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
Currently, the DPO has assigned tasks under Article 39, to inform and advise how you can comply with data protection laws.
You should reasonably expect that your DPO will support you to raise data protection awareness internally by offering guidance around policies and procedures, training expectations, advising on data protection impact assessments, recording and auditing and being your knowledgeable, calm and independent first point of contact when dealing with the ICO, should they have need to communicate with you.
One of the common queries our clients regularly ask is whether the DPO can be a company employee and the answer is yes, if it works for your organisation. Providing they can carry out their role without conflict of interest and in an independent manner without fear that they could be penalised in any way when conducting their tasks in a fair and honest way, there is no barrier. You may also appoint a single DPO to take care of the needs of a group of companies or, choose to outsource the role of DPO to a specialist company, which is what many of our clients choose to do with us.
Changes may be afoot for the DPO.
The long-awaited Data Protection and Digital Information Bill proposes to remove the role of DPO and replace it with “Senior Responsible Individual”, or SRI.
An SRI will continue to be required when an organisation processing personal data is a public body or is conducting high risk processing. The SRI will be required to be part of the senior management with the tasks expected broadly replicating those of the current DPO, such as the monitoring of legislative compliance, organising training, and co-operating with the ICO in relation to data breaches and complaints.
Whether you are seeking a DPO now, or looking to the future, the renaming of the DPO as the SRI does not detract from the essential expectation that your organisation will still be required to evidence effective and independent data protection management.
The DPO (or future SRI) must also understand the sector you are operating in.
- How does this influence what data you are processing?
- What are the influences and relevant contexts to consider?
The most effective way for the DPO to develop this appreciation is to meet regularly with the influencing members of your organisation. An agreed programme of meetings will support this requirement. Emphasis has been placed on the independence of the DPO, but they also need to be a team player.
The best interests of your specific group of data subjects must be at the heart of what you do. The Senior Information Risk Owner, Caldicott Guardian (if you have one) and the other key players who support your data management functions need to be engaged with the DPO when the need arises, allowing all parties to discuss and exchange information arising from audits, analysis of events and other findings.
When you need the most straightforward advice is usually when things are proving to be testing and it’s in times like this that you will benefit from having confidence that your DPO understands the internal data management of your assets and has your best interests at heart.
As mentioned, many of our clients choose to outsource their data protection roles to external consultants like ourselves. If you feel your organisation would benefit from this option, or would like to discuss how we can assist you in other ways, please do get in touch with us.