Last week (14th September) saw the UK publish its new Data Protection Bill, which the Government claims will “bring our data protection regime into the 21st century”. The bill, part of the National Cyber Security Strategy, is intended to find a balance between protecting data, penalising those who break the rules and returning control of data to the people.
However, that could prove somewhat trickier than hoped. The new bill, which stretches to 218 pages, has 18 schedules and 112 pages of explanatory notes, has been described by the chairman of the National Association of Data Protection and Freedom of Information Officers, Jon Baines as “a bit of a mess”.
That said, from next Spring companies will face a long list of rules that they’ll have to follow in order to comply with the new General Data Protection Regulations (GDPR). One of the most controversial changes introduced is the requirement for some companies to hire a data protection officer (DPO). Responsible for educating a company on its GDPR requirements, training staff in data processing and conducting regular security audits across the organisation, the DPO will also serve as the main point of contact between the company and the authorities.
Does every organisation need a DPO?
Data protection officers will be mandatory in companies where:
- the processing is carried out by a public authority;
- the core activities of the controller or processor consist of processing operations, which require large scale, regular and systematic monitoring of data subjects; or
- the core activity of the controller or processor consist of processing of sensitive data, on a large scale
How do companies find a suitable candidate?
As with any senior hire, recruitment can be a challenge – perhaps even more so for a DPO role. Many organisations are using the upcoming GDPR to formalise their compliance, and looking at making the DPO a specific role rather than just a part of someone else’s. This puts those candidates in high demand, especially when you consider that every organisation required to have one as part of their own GDPR compliance requirements is actively searching to appoint one.
One option to help navigate this issue is to train current employees; assessing the internal team and talent is a good first place to look, as they will have the best understanding of the business.
What does a good DPO look like?
Firstly, the DPO will need to understand the company’s existing data sources and examine what types of personal data – particularly GDPR-regulated data – is being collected, handled and stored.
A skilled data protection officer will also need to be tenacious and persuasive in order to drive through the requirements needed to meet the GDPR’s comprehensive and strict deadlines. The tight timescales for breach notification and for managing the subject access request procedure will also demand agility and multi-tasking from the data protection officer.
Although no formal qualifications are required, a DPO can be trained in privacy to both foundation and practitioner-level certification, with the option of including an EU focus.
Whichever avenue you go down, it’s important to ensure the DPO has an intricate, up-to-date knowledge of the requirements of privacy, possibly gained from time in a compliance role.
The job description
Roles and responsibilities of a data protection officer will be wide and varied however, there will be fundamental requirements of all. For example, the DPO will oversee all of the run-time activities including data privacy governance, managing registration, liaison with the Information Commissioner’s Office, developing and auditing processes around data protection, and providing practical advice and guidance.
As their role is critical to adherence of GDPR compliance, any data protection officer must also have the seniority and personal presence to demand the attention of the Board.
Begin the search now
While aligning an organisation to GDPR in advance of the 25 May 2018 deadline may seem like a daunting task, getting the right DPO in place now can help ease the pressure and prevent potential financial and regulatory consequences down the line.