You need a Data Protection Officer
You’ve decided, because of either the size and operating scope of your business or the nature of the data processing involved, that you need to appoint a Data Protection Officer (DPO) to comply with the GDPR/Data Protection Act 2018. Alternatively, you might just think it’s simpler to have one person dealing with your data protection obligations.
Could your IT Manager do the job as an add on?
If you haven’t looked into the topic too closely, you might consider adding the role to the duties of your IT or operations manager. That might seem an obvious step to take since the person responsible for running your IT and ensuring that your network functions securely is already protecting your data.
Examine the requirements yourself or take advice on the subject as you’ll find that the role of the Data Protection Officer requires an unusual skill-set and a remit that carries complete autonomy – which we’ll take a look at once we’ve identified what a DPO is expected to do. Read more here:
How Does Your DPO Job Description Measure Up?
Take a look first at what GDPR/DPA 2018 describes as the minimum responsibilities of a DPO – Read more here:
While there are many organisations recruiting for a DPO the skills specifications of these posts vary enormously. Some organisations are under the illusion that the role of a DPO is primarily a technical one and are searching for candidates with a strong IT background. While there is a need for the DPO to understand the ways in which data is processed, stored and disposed of the GDPR/DPA 2018 emphasis is on regulation, governance, advice, education and communication.
Does Your DPO have Legal Training?
Returning to the description of the DPO role within the regulation:
- To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
This requires an ability to provide a clear interpretation of the law in clear/layman’s terms – not only the GDPR and the Data Protection Act, but the Privacy and Electronic Communications Regulations (which are also due to change soon too), the Human Rights Act and others including how they collectively intersect.
The role of Data Protection Officer is more suited to an individual with an overall understanding of the elements of data processing and an ability to apply the law to processes involving personal information than it is to someone with advanced technical or operational management abilities but much less knowledge of the law.
The GDPR/DPA 2018 is a legal instrument that calls for some interpretation when applied to the many ways in which data is processed. To consider the application of the law in a business environment also requires a background in how business decisions affect operational performance and where a line can be drawn between legality and illegality. Part of the DPOs role is to ensure that an organisation can function efficiently while keeping on the right side of that line. Risk assessing as we go to see what your business is happy to live with, and can afford to and how to record and monitor that risk over time.
Need some help? Call us on 01244 300413 or email [email protected] We offer a No Obligation FREE Chat to help you work out what is best for you to comply with GDPR