In our blog today, from Karen Heaton at Data Protection 4 Business, we look at Data Protection Officers? But do you need one?
Well… probably not, unless you regularly and systematically monitor data subjects on a large scale. Or you are a local authority.
Ok, you don’t. BUT you do still need someone in your practice or organisation who is responsible for ensuring your business is compliant with GDPR and the Data Protection Act. So, somebody needs to be responsible!
Responsible for what?
Even for small and medium sized organisations, someone will need to be skilled and available to undertake these tasks:
- Responding to Subject Access Requests and managing Data Breaches
- Reviews of security – physical and IT
- Making sure your organisation is compliant or has a work plan to become compliant
- Training staff in all areas and respond to any queries from clients, suppliers or staff – remember the lessons from Data Breaches in our earlier blog? Staff can be a high source of data breaches – unintentionally or not!
- Working across all business functions, such as IT, Marketing, Finance and operations to understand the data in use and ensure operational procedures are in place
- Policing the operations to ensure procedures are being followed AND are effective
What skills are needed? Can this be outsourced? Absolutely yes.
A good DPO should be able to wear many hats and have a wide range of skills.
- Strong IT knowledge, detailed understanding of the regulations, know what ‘being compliant’ looks like and good project management skills to manage the changes needed within an organisation
- Be active in the Data Protection space, follow trends, keep abreast of risks and continually scan for solutions e.g. software products to automate tasks
- Save you time and money. For small and medium sized organisations, training up a member of staff or a small team can be costly and time consuming, so outsourcing can be a cost-effective solution
- Support your organisation in Data Protection Impact Assessments to identify business risks
- Be independent and objective. A key requirement of the role according to the regulations
Internal resource or an outsourced service?
This depends on a number of factors and it can be a long list! But it mainly boils down to a) what risks your organisations may be running and b) what skills your resources have.
? What are your data risks? Do you process Sensitive or Child data? Do you store financial details?
? How many customers, staff, suppliers do you have?
? Where are your data stored?
? Do you sell things via your website?
? Is your industry a target for cyber attacks?
There’s a lot to think about, that’s for sure.
Today’s fact. According to the GDPR and Data Protection Act, the DPO role can be outsourced to another organisation.
=> This may be a more efficient solution for your business. However, do check their credentials first!
Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited
Data Protection for Business offers outsourced data protection officer services:
Previous blogs in the series:
GDPR and data processing
Data Protection Operational Risks & Penalties
Introduction to GDPR for healthcare