The focus on the GDPR over the last year has centred on the penalties that could be incurred if not compliant. Indeed, it could be said that the General Data Protection Regulation (GDPR) has a similarity to a Hollywood horror movie. Accused of many things including giver of rights, visionary, destroyer of marketing and stress inducer; as yet it hasn’t been give the label of job creator. But for all those professionals in data protection, the GDPR is exactly that.
Enter the DPO
If we take a deeper look at the GDPR, and specifically article 37, it tells us of a new supervisory appointment to be called the Data Protection Officer, or DPO. These following five points will help you get a better understanding of this entirely new, and ground-breaking rule:
- Any public authority must appoint at DPO – from May 2018 under the GDPR, and preferably before, there will be a new addition to the Public Sector Information Security department. Except for the courts, any public sector organisation that processes personal information on data subjects must appoint a Data Protection Officer (DPO) whose role will be to oversee data processing activities. The courts, and law enforcement in some cases, will be omitted from some parts of the GDPR in order to counter the possibility of it being a hindrance to keeping public safety.
- It is an optional role, but is recommended for most organisations – there is talk that if your organisation is bigger than a specified size, it will be mandatory for that organisation to appoint a DPO. This isn’t the case. The GDPR states that a DPO is only required if the activities of an organisation includes processing operations that need the regular and systematic monitoring of data subjects on a large scale, or if there is a need to process special categories of data, for example any relating to offenses and criminal convictions. The level of ambiguity indicates that it could be in the best interests of most organisations to think about creating the DPO role for the purpose of risk containment, even though there may be not obvious need.
- The DPO must have demonstrable expert skills – from its inception, the EU has made it clear that they want to avoid the GDPR from becoming a tick-in-the-box compliance activity. The role of the DPO is the same. Under the GDPR, organisations are not allowed to nominally assign the role to an unqualified staff member. The regulation specifies that the person assigned the DPO role must have sufficient expert knowledge of data protection, its law and practices.
- Data subjects must be able to access the DPO – as well as supervising data processing activities of the data processor/controller, and ensuring compliance with the GDPR, the DPO must be accessible to and exercise data subject’s rights. The name and contact details of the DPO in the organisations must be published on any reports that relate to personal data processing and, a crucial element, also on the public website.
- DPOs and vDPOs can be shared – most small to medium-sized businesses will probably not require a DPO on a full-time basis and with that in mind, the GDPR specifies that the role of the DPO can be shared across organisations, as long as the role of the DPO in each organisation is not diminished or compromised by another. This has given rise to a new service called the virtual DPO (vDPO); an outsourced third party role that provides a DPO for an specified and agreed number of days a year.
Essentially, in creating this new DPO role, the GDPR’s intention is to ensure the GDPR rule book is placed in organisations that are involved in the handling and processing of personal information. Being called a one-stop-shop role for anything to do with data protection, responsibility for compliance with the regulation has passed to the DPO, which is easier than expecting a supervisory authority (the ICO in the UK) to try and police enforcement of the GDPR.
A DPO for Hire
For many larger organisations that have an Information Security Officer (ISO), additional training will allow this role to be merged with that of the DPO. In many of the GDPR’s articles, there is reference to ISO27001, which any ISO will be very much aware of. But for smaller organisations, or for those that are not sure if they require the services of a DPO, having the option of a flexible vDPO is better and cost-effective.
Whilst there is a level of subjective negative concerns about the GDPR, the prospect of job creation is not. In the not too distant future, there will be a rise in job adverts for a Data Protection Officer across recruitment websites, and it could be you future opportunity.
For more information on Cyber Management Alliance, assistance with GDPR Readiness, ISO 27001 Certification, their Live Online CISSP Training & Mentorship program and other courses, webinars, the Wisdom of Crowds live and virtual events, and their Insights with Cyber Leaders series of executive interviews, click here or contact us today.