Earlier in this series of blogs we looked at the value that the Data Protection Officer (DPO) can bring to your organisation. We looked then at the core responsibilities of the DPO.
However, there are some aspects of Articles 37-39 of the UK GDPR, the ones that describe the function of a DPO, that make a strong case for outsourcing the role of the DPO.
One of the challenges, particularly in a smaller business where staff may already be stretched is that of finding a suitable appointee for the DPO role. The ICO website’s ‘at a glance’ guide to assessing likely candidate’s states: “The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level”.
In appointing someone to the role there can be a temptation to look at data protection in relation to other aspects of the organisation’s management structure. The Marketing Manager is often a user of the personal data that the company holds and can end up with the role.
A key question in that case would be one of independence. Does the person most closely associated with processing the personal data have the necessary objectivity to also be its chief guardian?
The other existing role that can acquire the DPO function is the I.T. manager. Handing an additional set of responsibilities to what in many companies is one of the busiest jobs is a potentially questionable decision that could leave focus on the critical DPO function to drift.
While the option of appointing quickly from within is enticing, considering the requirements of the DPO role, we suggest looking outside the business to acquire a DPO with the proper level of data protection certification, skill, focus and understanding.
This will ensure that the basic requirements quoted from the ICO’s ‘at a glance’ guide are fulfilled.
Article 37 of UK GDPR is the one that states the necessity of having a Data Protection Officer.
However, the articles definition of the tasks of a DPO is instructive when it comes to considering if an outsourced option would be advisable. “It’s important to remember that the DPO’s tasks cover all personal data processing activities, not just those that require their appointment under Article 37”
The appointment of a DPO is a critical business decision in several ways.
CSRB’s own job description for the role has several useful indications that outsourcing can be the best option for many organisations.
- “The Data Protection Officer reports directly to the Board of Directors and is a member of the Senior Management team.” Utilising an existing team member may require a change in their primary role, to give them the senior level access that the DPO role requires.
- “The Data Protection Officer is the main contact point for employees and will liaise with all members of staff on data protection matters.” The danger of the all important DPO role being seen as a distraction from a principal function within the organisation and being relegated to a lower priority by the incumbent exposes the business to a high level of risk.
- “Ensure training and awareness is available and delivered to all members of staff involved in processing operations relating to personal data”. This is another potentially time consuming but vital function that cannot be lost within general duties.
The case for outsourcing your Data Protection Officer is strong.
Allowing the role to be submerged in an existing team member’s busy schedule means that the level of risk that the organisation is exposed to is much higher, by failing to keep the necessary level of vigilance regarding compliance.
Placing the role in the hands of a certified expert whose sole task is to protect you from that risk, support your senior management team, whilst ensuring all staff understand and engage with their responsibilities regards the processing of personal data, will aid business growth and development.
CSRB has a simple mission. To be clear and open about personal data protection. What you need, why you need it and what you are legally required to do.
Our outsourced Data Protection Officer (DPO) service will help you manage and protect that personal data responsibly, whilst taking the jargon out of the process.
Please get in touch with us here or call 0117 325 0830 to learn more.