Since the EU’s GDPR (General Data Protection Regulation) came into effect in May 2018, the international shortage of DPOs (data protection officers) has increased. The Regulation stipulates that certain organisations must appoint a DPO to monitor data protection compliance and act as a contact point for data subjects and supervisory authorities.
The appointed person must have data protection expertise, but the GDPR doesn’t specify what level of experience or qualifications are required. Many organisations may have appointed a DPO without the necessary skills to fulfil the role, leaving them open to errors and vulnerable should the supervisory authority – for the UK, the ICO (Information Commissioner’s Office) – decide to investigate. It’s also vital that the chosen DPO doesn’t have a conflict of interest, i.e. doesn’t determine the purposes and means of processing the personal data.
You will need to appoint a DPO if you:
- Are a public authority or body;
- Regularly and systematically monitor data subjects; or
- Process special categories of data on a large scale.
What about outsourcing?
The GDPR is clear that outsourcing a DPO is an option, which should be considered when an organisation doesn’t have a privacy department. Some benefits of outsourcing the DPO role:
- Cost effective when compared to hiring a privacy professional full time.
- You can rely on several experienced DPOs rather than just one, which means more hands on deck should you suffer a breach.
- The DPOs are available 24/7, and there’s no holiday or sickness time.
- No conflicts of interest.
IT Governance offers DPO as a service on an annual subscription basis. You’ll get a certain number of hours each month to use the services of our DPOs, covering the following responsibilities:
- Review and advise on policies, procedures and documentation relating to the processing of personal data.
- Oversee the establishment and maintenance of the personal data processing register.
- Advise on the necessity of a data protection impact assessment, the manner of its implementation and outcomes.
- Provide guidance on data breach monitoring, management and reporting.
- Provide advice and guidance on responses to individuals exercising any or all of their rights (informed, access, rectification, object, erasure, data portability, restrict processing, automated decision making and profiling).
- Serve as the contact point to data protection authorities for all data protection issues.
- Facilitate GDPR awareness training and the training of staff involved in data processing operations.
- Monitor compliance with the GDPR.