Who wants to be the DPO??? Anyone??


As organisations work through their GDPR compliance checklist, the thorny issue of who is going to be crowned Data Protection Officer arises. Whilst employees have been happy to contribute their time and skills to a GDPR reference group you may have set up, there’s relative safety in numbers. Going solo ain’t so much fun and no doubt a lot of people are trying to duck out of this particular accolade. And let’s be honest...it is a daunting task.

The appointment of a Data Protection Officer(DPO) is mandatory for certain types of organisations – processing carried out by public authorities, where the core activities of the organisation involve regular and systematic monitoring of data subjects on a large scale or processing of sensitive data including data relating to criminal matters on a large scale. The GDPR is silent on the definition of ‘large scale’ so time to do some homework to determine if you are an organisation that is required to have a DPO at the helm.

The Article 29 Working party have given a little helping hand and identified some specific examples of large scale processing which include:
· processing of patient data in the regular course of business by a hospital
· processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
· processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in these activities
· processing of customer data in the regular course of business by an insurance company or a bank
· processing of personal data for behavioural advertising by a search engine
· processing of data (content, traffic, location) by telephone or internet service providers

Even where you assess that a DPO is not required under GDPR for your organisation, many are nonetheless taking this brave step and formally appointing a DPO. Where this is done on a voluntary basis and you are formally nominating someone as DPO then you will need to adhere to the requirements of the role set out in Articles 37-39 of the legislation. And there’s quite a to do list: Advising employees about data protection; monitoring compliance, internal data protection activities, raising awareness of data protection, staff training, audits, advising on data protection impact assessments, co-operation with the ICO, management of breaches, point of contact for all data subjects and so on…oh and the DPO must be registered with the ICO. The guidance also steers you away from appointing head of Legal, IT, HR as the DPO to ensure independence of the role.

Another option is to nominate someone as a Data Protection Lead(DPL)…essentially a DPO in all but name who doesn’t need to be formally registered with the ICO. Whilst they are not tasked with same regulatory must do’s, again, the same issues arise. Less a question of work life balance but work work balance. Allocating the time to sufficiently manage data protection on top of a busy schedule, whether as a DPO or DPL, is a battle – it’s the same juggling act, which ball is going to be dropped first?

Outsourcing the DPO/DPL role is an option many organisations are investing in. With senior staff already over stretched, the prospect of trying to upskill someone in data protection regulations who is already managing a bulging inbox and to take time and resource away from their existing roles is something that may not be workable. That 8th day of the week just hasn’t come along yet. Something will give and no doubt it will be the DPO/DPL responsibilities. With the GDPR, letting data protection quietly slide into the ‘never never’ is just not an option. Outsourcing the role to a data protection specialist may be the answer to all your problems and give you that independence and reassurance of knowing that your data protection requirements are in safe hands. Tick.

At Briefed, outsourced data protection officer or lead consultancy is one of the services we can offer to our clients. Speak to one of our consultants to have a better understanding of how we can work with you to address your specific needs. Please do not hesitate to contact us at Hello@Briefed.pro or on 028 90446780.


Caroline Boyle