[GDPR] Training – What is a Data Protection Officer

A Guide to Data Protection and the GDPR

This article forms part of a collection to introduce you to what Data Protection and ‘GDPR’ are. It’s based upon staff training that we’ve provided for companies to make sure they had a basic working knowledge and were able to take the steps to protect individuals personal information in their care.

This guide takes you through the overview and basics of What a Data Protection Officer is and does within your organisation. If you have any questions or require consultation or guidance please don’t hesitate to contact me to discuss further.

Do I need a Data Protection Officer?

Your Organisation may not have a Data Protection Officer (or DPO) – They are not a requirement for every organisation (After all you could be sole trader) but they are recommended. As a DPO myself – I would always recommend that either you have a designated DPO or at least a designated lead making sure that your company has someone who is always thinking about the personal data you have. It’s important to remember that every organisation that has at least 1 employee/volunteer is holding personal information.

Under the GDPR, you must appoint a DPO if:

  • you are a public authority or body (except for courts acting in their judicial capacity);
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

So What is a DPO?

A DPO is an employee of a company who is responsible for advising and ensuring (by advising correctly, helping write policy, providing training etc) that the company is adhering to the GDPR and is balancing the commercial requirements of the company vs the important rights and freedoms of the data subjects. The DPO is always the lead contact for any conversation with data subjects regarding any data protection element as well as being the lead contact in any contact with the data protection supervising body (Here in the UK that’s the Information Commissioners Office). 

The general idea of a DPO is to keep the company accountable to the Law, to its customers and evidence the hell out of it! 

A DPO can either be an internal member of your team or can be outsourced but they must be allowed to be independent or trusted to so as well as be an expert in Data Protection (such as taking courses, adding seminars. It’s worth saying when the GDPR came out there was no certified ICO course on being a DPO under GDPR which made it all very grey!), they should also maintain this level of expertise by re-training and keeping up-to-date with the latest in data protection legalities. A DPO does not have to be a lawyer, this is a common mistake and while there are some fantastic DPOs that are lawyers the job is about more than knowing the Law, it’s about being able to advise in real terms what your company procedures and processes should be and so project managers (among other roles) also make fantastic DPOs. 

The DPO is also a protected position they should have a direct path to the most senior positions in the company (to raise issues and effect change), and a DPO can not be dismissed based upon their official recommendations or duty over data protection and the GDPR, they can of course like any employee be dismissed for gross misconduct and many other unrelated to the title reasons.

A DPO will help guide your company, review it from head to toe and make recommendations to bring you in-line with the GDPR (as well as other relevant legal requirements), A Good DPO will help balance and mitigate the risk of your companies services and products. DPOs are not meant to be the fun police in-fact as a DPO I always find it quite fun when I’m brought a new idea where personal data needs to be used in a new and exciting way and we need to balance that use with the protections of the customer. A good DPO should rarely say no and instead work with the company and employees to mitigate the risk to data subjects (Such as through data minimisation, encryption, staff training or even just a clearer notice to data subjects) until the idea can go ahead again.

A Data Protection Officer is not guaranteed by any means to be a cybersecurity expert and so I’d recommend treating that as completely separate expertise and knowledgebase (because it is!).

Your DPO is there for you.

As an employee, A DPO will guide you with procedure and policy that has been developed with your line-manager or department head. They will provide or arrange for data protection-relevant training for you (which is likely to be yearly, if not more often if you handle sensitive data on a regular basis).  If you have any Data Protection concerns or questions a DPO will/should always be there in an accessible manner to talk through, educate and assist. They should also have an open-door policy or means to allow for anonymous reporting of suspected data breaches or concerns, I know I do as it’s important to get past elements of the blame culture that prevent issues or concerns being reported which then turn into very serious breaches or problems for the organisation.

Your DPO is there for your Data Subjects as well

Your DPO is a public figure for your company. A way of contacting them will be present on your website, anywhere that you collect personal information and any contract that you provide to customers. Data Subjects (customers) need to be aware of their rights and one of those rights is being able to contact the DPO, they should be provided with instructions on how to contact the supervising authority (The ICO) in case they wish to complain about the DPO/ Companies handling of their data protection.

What does a DPO do when there is a data breach?

A DPO has the responsibility of declaring/confirming the existence of a data protection breach under the GDPR as well as measuring the risk to data subjects based on the size and content of the breach. It is then up-to-the DPO to report the incident to the ICO within 72 hours of discovering it (Delayed reporting will certainly count against you when it’s time for the ICO to rule judgement and potentially fine your organisation), If they choose not to because they deem it to be a ‘near-miss’ (where no data has been breached but there was a very close call) then they still need to record this and evidence it should they be investigated in the future. 

The DPO should contact the ICO and work with them as well as relevant authorities alerting them to the risk and the actions of the company to date. They will also need to work with other members of the company/organisation to inform customers (but only if they are the data controller, or have the permission of the data controller) of the breach, and provide guidance to them on how they can protect their identity and any other actions they will need to take to mitigate any further risk (including briefing them to what phishing attacks are).

This is certainly only a very basic overview of what a DPO does and designed for general staff members to gain an understanding. If you’re a DPO with questions then I’m happy to have a chat, recommend resources and books that can help guide you.