The EU General Data Protection Regulation brought the role of Data Protection Officer (DPO) to the fore. (Due credit to Germany which originally introduced the concept as far back as 2001.) The European Data Protection Board (EDPB) recently announced plans to start enforcing the role more closely, so, as the fifth anniversary of the GDPR was upon us last week, let’s take a closer look at the DPO.
Under the GDPR, certain organisations are required to appoint a DPO to act as an independent advisor and ensure that the company complies with data protection regulations. This includes companies processing large amounts of personal data, public authorities, and companies that carry out regular and systematic monitoring of individuals.
DPO in Detail: What the Role Entails
As we outlined in a two-part blog last year, the role essentially involves three key aspects: monitoring the organisation’s data processing activities, providing guidance on data protection impact assessments, and liaising with data subjects and regulators.
A DPO doesn’t necessarily need to be a fulltime position. That will depend on the complexity of the data being processed and the size/structure of the organisation. It’s worth highlighting that most small and medium enterprises can manage their GDPR compliance as part of a different role once the initial governance structures and departmental responsibilities are in place.
Even where the GDPR doesn’t specifically require a DPO, the EDPB encourages this as good practice.
Companies that are required to appoint a DPO must ensure they have done so and that the DPO is fulfilling their duties effectively. This includes providing the DPO with the necessary resources and support to carry out their role. Organisations that don’t comply with this requirement could face fines and other sanctions.
Right Resources: Checking the DPO’s Support
In fact, this is exactly what the EDPB is targeting. When it launched the enforcement earlier this year, the board said it would involve coordinated action by data protection authorities around Europe to gauge whether DPOs have the organisational position required by articles 37-39 of the EU GDPR, along with the resources needed to carry out their tasks.
“The results of the joint initiative will be analysed in a coordinated manner and the DPAs will decide on possible further national supervision and enforcement actions. In addition, results will be aggregated, generating deeper insight into the topic and allowing targeted follow-up at EU level. The EDPB will publish a report on the outcome of this analysis once the actions are concluded,” the board said.
The EDPB’s decision to start enforcing the role comes after a review of the DPO regime under the GDPR. This found that some companies weren’t appointing DPOs where required, and that some DPOs were not fulfilling their duties effectively. As a result, the EDPB has decided to take action to ensure that the DPO regime is being enforced properly.
What the EDPB Enforcement Means For You
So what will this enforcement action mean for organisations? In our opinion, many are going to realise that they don’t have the role properly resourced. This may be easier said than done. According to the Irish Computer Society, a DPO is typically expected to have skills including significant experience in:
- EU and global privacy laws, including drafting of privacy policies, technology provisions and outsourcing agreements
- IT operations and programming, including attainment of information security standards certifications and privacy seals/marks
- Information systems auditing, attestation audits and the assessment and mitigation of risk
- Demonstrated leadership skills achieving stated objectives involving a diverse set of stakeholders and managing varied projects
Such skills are hard to find: “significant experience” is shorthand for five to ten years’ experience in the areas above. Earlier this year, a global survey by ISACA found that 94 per cent of global businesses have a privacy skills gap, while 59 per cent of technical privacy teams are understaffed.
Sourcing suitable expertise in house is just one of many challenges that organisations could face in appointing a DPO. Others include the DPO’s ability to stay current with the latest developments in privacy or changes to the legislation. Will there be enough work to justify appointing a fulltime DPO? On the other side of the coin, are there enough in-house resources to justify designating the role to someone on top of their other job?
This leads on to one of the biggest challenges with the DPO role. If the person also has other duties that need them to make decisions about their employer’s data processing, then holding the DPO role at the same time would constitute a conflict of interest. This would affect many organisations that appoint their head of IT, or chief operating officer, to act as DPO.
Outsourcing Option: How to Find External Expertise
With these challenges to think about, and with tighter enforcement coming, the case for outsourcing the DPO role becomes attractive. Working with a suitable skilled, experienced and qualified third party solves the skills question, and removes the conflict of interest. Because it’s delivered on demand, often as a set period of time every month, it also means companies can tailor the amount of time required based on their needs.
The organisation still needs to make sure the outsourced DPO provider is competent to deliver those services in line with what the regulation requires. Here are some of the useful questions to ask when checking a provider’s credentials:
- Is it just one person or – ideally – a team of experts with experience across many sectors?
- Do the team members have appropriate qualifications, e.g. CIPPs, CIPP, CIPM?
- Does the provider have cybersecurity expertise (or access to it)?
- What is the availability of team members to be on call for your organisation?
- What response time and service level agreement can the team provide?
- Can you check the provider’s trustworthiness through word of mouth, references, or reputation?
- What publications or presentations has the provider or team principals delivered?
- What documentation is the provider willing to supply?
We believe the EDPB’s decision to start enforcing the role of DPOs is an important step in ensuring that companies are complying with data protection laws and regulations. Businesses must ensure they have either appointed a DPO where required or are working with a skilled third party – and that the nominated DPO is fulfilling their duties effectively. Privacy is a human right: more important than avoiding fines or sanctions, filling the DPO role effectively makes an organisation proactive in building trust with customers and stakeholders by showing an ethical commitment to data privacy.