This is week seven of the GDPR walkthrough. It’s time to look at the less technical demands of the regulation and turn our attention to how you need to structure your organisation and allocate responsibilities around the teams. Primarily this is around the Data Protection Officer (DPO) function.
What are the expectations?
Article 37 of GDPR is where focus is turned to the role of DPO, detailing what the DPO should do, when they should do it and how they need to be positioned. However, what is left to the company to decide is whether a dedicated DPO is required, or whether the responsibilities can be allocated within the existing team. Earlier drafts of GDPR attempted to put a headcount threshold on the requirement (e.g. more than certain number of employees meant a dedicated DPO needed to be in place) but these were removed from the final draft with the exception of some clear instances when a DPO was required. These guidelines are a DPO is required:
- Where processing is carried out by a public body
- Where core activities require regular and systematic monitoring of personal data on a large scale
- Where core activities involve large-scale processing of sensitive personal data
Even with these three instances, there is plenty of room for interpretation and organisations may find themselves no wiser as to the need for a DPO after reading these. If that is the case for you, perhaps looking at the expectations of what the DPO role should perform will help.
What are the role responsibilities of the DPO?
According to GDPR, the DPO must:
- ‘inform and advise of obligations’ – in other words, keep the organisation in line with the regulation
- ‘monitor compliance’ – the DPO is expected to be the Board’s ear in terms of compliance. There will be areas in every organisation where compliance slips, the DPO must ensure this is communicated
- ‘provide advice with regard to data protection impact assessments’ – it is the DPO who will (normally) lead or conduct Data Protection Impact Assessments when one is required (see week three)
- ‘cooperate & liaise with the Supervisory Authority’ – the DPO contact details need to be submitted to the Supervisory Authority (SA) and be available to speak to them should the need arise. The DPO is expected to stay current with communication or updates from the SA
- ‘have due regard to risk associated with processing operations’ – the DPO should be the voice of reason for the organisation and highlight risk in the organisation operations
From this it is easy to see how it could quickly become a full-time role, especially given the requirement for cooperation and liaison with the SA. They want someone available to them to work with, especially if something goes wrong
How to structure your organisation?
The other specification of the DPO position in the GDPR is that of where the position should sit and report to and, how the position should be protected. As the DPO role is about ensuring compliance, it should not sit within the delivery functions of the business or IT. The rationale behind that is the role should be impartial and be able to call out risk associated with change and therefore not be part of the team delivering the change, so if an internal staff member is delegated as the DPO, they would normally sit within a Risk, Compliance or Governance function to ensure the required independence. The GDPR states that the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices, so make sure you get the right person.
There are also stipulations about reporting lines – the DPO should have ‘direct access’ to the board. This doesn’t necessarily mean they need to report to the CEO or one of the senior team, but they need to be able to escalate directly without needing to go through multiple go-betweens, risking the dilution or loss of the message. Following from that the DPO will ensure that Data Protection is on the board agenda. Lastly, the DPO position should be ‘protected’ and not risk losing their job, career prospects or bonus just because they called out a risk.
If this all sounds a little daunting, don’t worry, help is available…keep reading.
Contract DPO Service
GDPR states that the DPO does not need to be a permanent employee of the organisation, so if you are concerned that either you do not have someone with the required skills and experience, Intersys Compliance offer a Contract DPO service which will give you an assigned, experienced DPO who will act as the dedicated, named and communicated DPO for your organisation.
The contract DPO service can be tailored to meet the requirements of the organisation, but the standard service offering includes the following components:
- An initial ‘Applicability Assessment’ run by Intersys Compliance to understand and report on the improvement areas and prioritised action points. This assessment will be carried out at the start of the contract and can be repeated periodically outside the Contract DPO agreement if required
- With the input of your organisation, Intersys Compliance will prepare a suitable reporting format for updates to the senior management and board
- The above report in will be delivered monthly, (or as otherwise specified) and cover progress against known issues as well as escalating new issues. This fulfils the GDPR requirement to have Data Protection on the board agenda and access to senior management on an impartial basis
- Support will be given to the customer to carry out Data Protection Impact Analysis work as required by GDPR
- The Contract DPO will be on a site as defined by your organisation, but at least one day per month to carry out Data Protection Impact Analyses, deliver reports to senior management, carry out education or any of the other DPO relevant activities
- Intersys Compliance will register with the Supervisory Authority the name and contact details of the Contract DPO and cover the communication and liaison requirements
Summary of Organisational Structure
While GDPR is quite clear about the duties and reporting line of the DPO, what a lot of organisations are struggling with is whether they need a dedicated resource or not. The best guidance to follow for your organisation is to think ‘worst case’. If something goes wrong, did you have someone available to track the change, to perform a DPIA, to report the risk to the Supervisory Authority, to communicate the situation to the board and to work with the Supervisory Authority before, during and after a change or breach?
If you have someone who has all the credentials then there’s nothing to worry about. If not, speak to Intersys Compliance and see if the requirement can be filled much more efficiently than going to the market.
Next week – eight of eight:
You’re on the home straight folk – next week we will be wrapping up the two months of effort with a review of what needs to be considered regarding the Storage & Retrieval of Data.
Any questions contact about this week or any other GDPR topic, please contact firstname.lastname@example.org
Graeme Riley is an experienced Global CIO with extensive experience in IT Security and Data Protection. He is currently a Director at Intersys Compliance Ltd.