In this article Curatrix look to provide the answer to the question, ‘Do you need a Data Protection Officer?’
In the wake of several landmark data-breaches, many organisations are once again finding themselves asking, ‘Do we need a Data Protection Officer?’ Although the guidance under the regulation may seem clear to some, to others the line can feel a little blurred. While having a Data Protection Officer (DPO) may not be ‘compulsory’, not having one creates a risk to any organisation that handles, processes or monitors personal data. A risk that few businesses can afford.
GDPR and DPO
Under the GDPR, appointment of a DPO is compulsory if you:
- Are a public authority or body
- Conduct regular or systematic monitoring of data subjects
- Process special categories of data or criminal convictions on a large scale
And it’s those key words that blur the lines. Because how often is ‘regular’? What constitutes ‘systematic’? How large is ‘large’? Well, the honest answer is that there is no right answer. It really does depend on your organisation, the sector you are in, the amount of effort you have made and the steps you have taken to protect your data subjects from a breach.
Why appoint a DPO?
This is why clients and businesses often chose to appoint a DPO. Even if it may not be compulsory for them, in doing so they can demonstrate to the ICO, their beneficiaries, their customers and their business partners that they have done everything they can to protect them. No system is perfect, all processes carry a degree of risk, and sooner or later, those processes can break down. And the main principle of GDPR isn’t necessarily how successful you were in protecting data against all possible threats. It’s how hard you tried as a responsible stakeholder and business leader to protect the data to the best of your ability with the resources available to you.
And that ability is where the DPO comes in. Under GDPR, your DPO needs to meet certain criteria; they need to be impartial, authoritative, unimpeded, constantly informed and educated in a wide number of disciplines. They also benefit from protected employment status, and it’s very hard to double down on responsibilities without breaking the conflict of interest requirement.
Getting those skills in house comes with a hefty price tag. Many organisations are now finding that they can make cost savings in recruitment, employment and retention by outsourcing the service to a qualified practitioner.