Outsourced data protection officers
Requirements under GDPR
Outsourced Data Protection Officers – Requirements under GDPR
The General Data Protection Regulations (GDPR), in force from 25 May 2018, provide an accountability-based compliance framework for data protection.
Where mandated under the regulations, a Data Protection Officer (DPO) must be appointed, so what does this mean for your organisation?
Do we need to appoint a Data Protection Officer?
Under Article 37 of GDPR, you must appoint a data protection officer (DPO) if you:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking);
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences (special categories of data are defined in Article 9 of GDPR as being: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; and the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person; data concerning health or data concerning a natural person’s sex life or sexual orientation).
The regulations don’t specify what constitutes large scale but you will need to consider the number of data subjects, amount of data collected and the duration it is kept. Organisations such as banks, hospitals and insurance companies would almost certainly need to appoint a DPO.
What does a Data Protection Officer need to do?
The DPO’s minimum tasks are defined in Article 39:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
Who can be a Data Protection Officer?
Under Article 28, you must ensure that:
- the DPO reports to the highest management level of your organisation – ie. Board level;
- the DPO operates independently and is not dismissed or penalised for performing their task;
- adequate resources are provided to enable DPOs to meet their GDPR obligations;
- the professional duties of the DPO to not lead to a conflict of interests.
You can allocate the role of DPO to an existing employee, as long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests. For example, anyone responsible for processes and procedures such as CEOs, Managing Directors, Directors, Heads of Marketing, HR or IT would probably not be able to act as DPO.
You can also contract out the role of DPO externally.
What skills and qualifications does a Data Protection Officer need?
GDPR does not specify the precise credentials a Data Protection Officer is expected to have. However, it does require that they should have professional experience and knowledge of data protection law. They must be at a sufficiently senior level to hold the Board accountable and promote a data protection culture within the organisation. They should also have an in-depth knowledge of GDPR, IT and data security, and an understanding of your organisation, your processing operations and your business sector.
How we can help
We can undertake this role for you, on your behalf, which removes any conflict of interests.
Our senior consultant is a certified GDPR practitioner with over 30 years of extensive experience in risk management, safety, compliance and assurance in highly-regulated environments.
We can tailor our Data Protection Officer service to suit your requirements. This may range from supporting you for a few days a year, to a wide-ranging portfolio of activities designed to help you achieve and maintain compliance.