Virtual Data Protection Officer

Virtual Data Protection Officer

Using an external resource to balance your compliance programme 

GDPR Expertise

GDPR will bring a requirement for expertise both in the lead up to its implementation and beyond as we gain further insight into its application.
When the General Data Protection Regulation (GDPR) comes into effect on May 25th across all EU and EEA states and affecting all organisations across the world who hold data pertaining to EU citizens, the way in which we map, monitor and deliver data security will change forever and change for the better. It will empower, even demand change and while, as a race, we are essentially averse to change, particularly within a business environment, we are going to have to embrace this in much the same way that we have embraced other aspects of compliance.

The GDPR does also bring some new challenges, such as how to handle Subject Access Requests, and roles such as the Data Protection Officer or DPO. As we come closer to the deadline in May, are you aware of the role of the DPO, whether your organisation must have one or if you would benefit from having one even if it is not specifically mandated?
Book a Consultation

What is a Data Protection Officer (DPO)?

The DPO is a role that is specifically defined within Section 4 of Chapter 4 of the GDPR articles. Article 39 in particular identifies the role of a DPO as:
  • Providing information and guidance to the controller or processor and any employees who are involved in the processing of Personally Identifiable Information
  • Monitoring the compliance of the controller or processor
  • Providing guidance on Data Protection Impact Assessments
  • Acting as a liaison with and contact point for the local supervisory authority
The DPO therefore, should be involved in all matters that are related to the protection of personal data, as dictated by Article 38. Article 38, which is concerned with the position of the DPO also requires the controller or processor to support the DPO in the performance of their duties (under Article 39), to provide the necessary resources and to ensure the maintenance of their expert knowledge (a point which we will come back to later). The article goes on to protect the position of the DPO by requiring the controller or processor do not provide the DPO with any instructions as to how to perform their role and that they may not be dismissed or penalised for the performance of their tasks. The DPO must report to the highest level of management within the controller or processor. Finally, Article 38 states that while the DPO may perform other tasks or duties, the controller or processor must ensure that any such tasks or duties do not result in a conflict of interest in their role as DPO.
Do We Need a DPO?

Not every organisation requires a DPO. Article 37 identifies the following three conditions that mean it is mandatory for the organisation to have a DPO (although any organisation may choose to elect a DPO):

Public Authority

The controller or processor is a public authority or body (except for courts acting in their judicial capacity)

Monitoring

The processing activities require regular and systematic monitoring of the data subjects on a large scale

Special Category Data

The processing activities consist of processing on a large scale of special categories of data (as identified within Article 9), or criminal convictions and offences (as identified within Article 10)
For note, at the time of writing there is no clarity as to what is meant by ‘regular and systematic’ or ‘large scale’ however, further guidance is expected.

Further, the DPO may represent a group of organisations and is not required to be an employee of the organisation. Their contact details will be published and also communicated to the supervisory authority.

So, Do We Need a DPO?

If your organisation clearly does not fit into one of the three mandatory conditions within Article 37, then you do not have to have a DPO. If you believe you may be included then it is advisably to appoint a DPO. Do not wait for the grey areas to be clarified as the expert input into your GDPR compliance programme will be highly valuable even in the event that it is later deemed unnecessary to have a DPO. Of course, if your organisation clearly comes within one of the three cases then you must have a DPO appointed and it would be advisable to have that in place as quickly as possible and certainly well ahead of the 25th May deadline.

Who Should be My DPO?

As you look around your organisation to identify the most suitable candidate for DPO it should be remembered that this role must not be conflicted by other duties. That means it should not come from any department that has direct, or even indirect, involvement with data processing. Note also that the role is required to be a GDPR expert and to maintain that level of expertise. That maintenance will be very important as GDPR evolves and becomes tested and proven through litigation and clarifications across the various member states. Even if the UK, as we move towards the Data Protection Bill, in its initial stages it will be highly open to interpretation until we have such clarity through case history and legal precedence. This means your DPO must have the capacity to be able to stay abreast of GDPR development and provide suitable advice back to the organisation. Finally, note that the role should report to the highest level of management, at least in their GDPR capacity if they are performing other duties.

You may find that having gone through the above, there is no obvious candidate. In which case you may need to create a new position of DPO or work with an external group who can provide a virtual DPO service. It is also worth remembering that the function of DPO does not have to be a single person. It may well be best for you to split the role and, even in this circumstance, you can consider an external GDPR expert to be part of that DPO function.

Would you like to know more about a Virtual DPO?

do UC is a Certified Data Protection Officer and can tailor a service to fit your requirements and budget. Whether as a dedicated resource or as part of a DPO team we can support your compliance programme. 
Share by: