The GDPR and the challenges faced when appointing a DPO

The GDPR. We’ve all heard a great deal about it over the last few months, and your inbox has probably been filled to bursting with privacy policy updates from every company you’ve ever bought from.

The General Data Protection Regulation, which came into force in May 2018, has reformed the laws around processing the personal data of EU residents. It also requires all public bodies and many private entities to appoint a DPO (data protection officer).

So, what exactly is a DPO and what do they do?

Let’s start with the basics: a DPO is appointed by an organisation to monitor the application of GDPR and ensure compliance. But what does this actually mean?

In reality, it’s a great deal more complicated and comes with huge responsibility.

DPOs must be highly knowledgeable, highly skilled and highly experienced. Although they do not need to hold specific qualifications, they are expected to have expert knowledge of data protection law and information security.

The role also includes but is not limited to monitoring the organisation’s compliance with the Regulation, advising on how to apply its requirements, and being the main point of contact for both staff and the ICO (Information Commissioner’s Office) on anything and everything relating to the processing of personal data within your organisation.

It’s not an easy feat.

According to the IAPP (International Association of Privacy Professionals), as many as 75,000 new DPOs are now needed globally. However, being a relatively new role, there is a vast shortage of talented candidates.

Some organisations may opt to appoint someone in-house, and it is possible for your DPO to perform another function or role within the business. However, not only does this present a potential conflict of interest; finding the time to adequately execute the tasks and responsibilities could prove challenging. While a DPO must have access to all personal data processes and activities within the organisation, your DPO must also be independent.

Additionally, with data protection becoming a top priority, it is likely your organisation will need to invest in both time and resources to sufficiently support your DPO.

Given the complexity of the role, it’s little wonder many organisations – especially small businesses – are outsourcing the role. Outsourcing your DPO can alleviate the pressure of complying with the GDPR while allowing you to focus on your core business needs.

IT Governance offers expertise and solutions to help you become GDPR-compliant.

Our Data Privacy Manager Service (GDPR) is designed for organisations that do not need a DPO but would like GDPR compliance support. For those that do require a DPO, our DPO as a service is a practical and cost-effective solution for organisations that don’t have the requisite data protection expertise and knowledge to fulfil their DPO obligations under the GDPR. We also offer the DPO Support Service (GDPR) solution, which provides additional support for organisations that already have a DPO.

Depending on your requirements, both services can be purchased in prepaid blocks of 1, 4, 8 or 12 hours.

These services can provide guidance on processing personal data, what to do should a data breach occur and maintaining your personal data processing register. Our experts can help you implement and monitor your level of GDPR compliance.

We also cover DSARs (data subject access requests), data protection authorities and the personal data processing register.

Find out more >>

For more information on either of these services, arrange a call back with one of our GDPR experts.