Liquid error: internal The rise of the Data Protection Officer | Search · Search Consultancy

The rise of the Data Protection Officer

Tags: blog

$(function () { $("#expandshare").click(function () { $(".hideshare").show(); $("#expandshare").hide(); }) $("#shrinkshare").click(function () { $(".hideshare").hide(); $("#expandshare").show(); }) });

By Alex Nash

As of May 25, 2018, how we view, hold and analyse data will change. The General Data Protection Regulation (GDPR) has recently become a hot topic throughout all areas of the business community, with many of my clients, and even candidates, asking what the impact could be.

It’s important to note that the UK will still be an EU member state when the GDPR comes into force. This means that GDPR is likely to become enshrined into domestic law, and remain so even after Brexit - given that GDPR applies to any size of organisation that collects or processes EU data.

Because the regulations have a jurisdictional reach that stretches across borders to protect EU citizens and the use of their personal information, it will be impossible to conduct business that involves the personal data of EU citizens without triggering the required application of GDPR compliance. Therefore, it is likely that the UK will continue to follow GDPR even after exiting the bloc, because writing new legislation is quite frankly a waste of time - which as we can see is swiftly running out as Brexit negotiations are still ongoing.

One of the most prominent areas of discussion amongst employers and candidates alike, is how some businesses will be legally required to appoint a Data Protection Officer (DPO), according to Article 37(1). With less then 6 months to go until GDPR comes into force, I analyse the emerging role of the DPO, the challenges they might face in introducing and implementing GDPR compliance procedures, and how they will ultimately add value to businesses which control and process mass volumes of personal data.

The importance of the DPO

Given the tasks and the level of responsibility placed on a DPO, where they sit in the management chain determines how effective they can be. Article 38(3) states: ‘The data protection officer shall directly report to the highest management level of the controller or the processor.’  

In an ideal world, the DPO would sit within the Board structure as a Chief Privacy Officer with direct responsibility for a team of people dedicated to data protection. I firmly believe that the title of Chief Privacy Officer will replace the ‘CISO’ position over the coming years – there then will be a technical information security expert who sits below the CPO.

The CPO approach is advantageous as it puts accountability for data protection undeniably at Board level; a organisation can demonstrate clear and focused intent to implement a privacy driven culture for the processing of personal/special category data, and show that good information rights/records management is of strategic business importance. 

The challenges a DPO will face

1. Creating awareness of data protection throughout the company

As the old adage goes, ‘If you fail to plan, you plan to fail,’. DPOs will play a crucial role in preparing businesses for the GDPR by raising awareness amongst executives, stakeholders and the workforce at large.

For better or for worse, people look to leaders to set the tone for their organisation. For this reason, a DPO along with the company’s business executives must establish and maintain a clear line of communication regarding privacy risks. It helps to start from the top, educating business leaders about the nature of security risks, and helping them to incorporate this understanding into the regular communications to their employees.

While employees may look to leaders to set the tone, they will not make substantive changes in behaviour, unless they can directly connect data privacy risks to their work and personal lives. For this reason, it will be critical for DPOs to educate employees in how GDPR will impact their every-day activities. For example, those handling financial information will need to practice the skills involved in securing credit card data and all sources of financial data, just as nurses and healthcare professionals need to protect confidential health information.

The reality is that everyone faces privacy risks which take different forms depending on their role. The way a DPO educates must reflect those differences, or it will be irrelevant and ultimately ineffective.

2. Assessing current data processing methods and adjusting these to meet requirements

A central part of the DPO’s role will be to evaluate how a company’s data is being processed. This will likely be achieved through conducting an information audit. For example, if the organisation is holding outdated or inaccurate personal data, and has shared this with another organisation, a DPO will need to let the third party organisation know so it can amend its own records. Therefore, it will be essential for a DPO to know what information is being held and for what purpose it is being used by the business.

3. Implementing new data processing methods

In implementing new compliance policies and procedures, this is what a DPO’s checklist might look like:

  • Review all existing contracts and consents and refresh these in accordance with the GDPR. These must consider key changes including privacy information, enhanced individual rights and Subject Access Requests as well as consent.

  • Review a company’s current privacy notices and create a plan for making any necessary changes in time for GDPR implementation.

  • Check procedures to ensure they cover all the new enhanced rights individuals have under GDPR, including how to erase personal data or provide data electronically and in a commonly used format.

DPOs should also track the changes made to any data processing activities to achieve GDPR compliance. Keeping a paper trail of what actions have been taken will ensure that companies have a detailed record to serve as evidence of their compliance with the GDPR’s accountability principle.

4. Identifying and understanding how to deal with a data security breach

In the event of a data security breach, the GDPR will require businesses to report the incident to the Information Commissioner Office within 72 hours of its occurrence. As such, it will be a DPO’s responsibility to implement clear data breach notification procedures that will enable the company to detect and report a breach within the required timescale. This could be achieved through an internal data breach register to log and track investigation into any breaches that do occur.

The potential impact of a DPO on your organisation

While some may drag their feet and resent the upcoming GDPR obligations, I believe that businesses stand to benefit from appointing and supporting a DPO. Given how the core role of a DPO is to be the organisation’s in-house data rights expert and the first point of contact with data subjects and regulators, most technology- or data-driven businesses of any size or complexity will likely find that appointing a DPO is advantageous, not only in terms of its own internal compliance efforts, but also in sending a message to its customer base that it takes compliance seriously.

About the Author

Alex Nash is a dynamic and professional recruitment specialist at Search Consultancy. In his role, he is responsible for providing recruitment solutions to the Risk, Financial Crime and Compliance market. His strengths lie in being a trusted advisor for small to medium size (SME) businesses. Should you need to appoint a risk and compliance professional, create a risk management team, or if you're simply qualified and looking for your next role, feel free to contact him on 

To find out more about our tech-related jobs, click the button below!