|By Guest Blogger:|
Paul Dawson-Hart, Member360
It should come as no surprise that as with all things GDPR there’s a lot of crap information out there and the new role of Data Protection Officer (DPO) is no different. An entire blog could be to dedicated GDPR FUD but rather than ranting; Jon Baines, Chair of the National Association of Data Protection Officers summarises the issue quite well in his breaking story.
What do they do and what skills do they need?
The DPO is the new sheriff in town. Her or His role is to promote, advise and police the organisation; ensuring compliance with Data Protection Law (GDPR). They assess the risks of processing personal data and whether the rights and freedoms of data subjects might be at risk, they undertake Data Protection Impact Assessments which support the principle of privacy by ‘design and default’, ensure staff are trained adequately and they’re the ICO point of contact.
The DPO’s authority and autonomy is guaranteed by the Board. After all, the DPO is a “protected role”, they cannot be penalised, bullied or sacked for doing their job.
Consider the ‘Poacher turned Gamekeeper’ principle. The DPO role should definitely not sit within IT or Marketing (German companies have been fined for this), furthermore Membership and HR are out too and neither should it be the CEO/COO.
They should have expert knowledge of the GDPR, Info Sec and Data Protection generally, have Membership sector context and be well versed operationally in the data processing undertaken in the organisation.
They should be independent whilst maintaining close working relationships, open and collaborative in nature but commanding respect. They’ll also be dedicated and in it for the long term – not a change manager type.
When are they mandatory?
1) Where the processing is carried out by a public body
The definition of what constitutes a public body is determined by UK not EU Law and has been debated in the House of Lords as the Data Protection Bill 2018 enacts GDPR (and other legislation).But it will logically mean all local/central government, the NHS, quangos and Universities etc.
2) Where CORE activities require REGULAR and SYSTEMATIC monitoring of personal data on a large scale.
Now this is where it gets interesting, introduced are the types of words loved by lawyers – “core”, “regular” and “systematic”.
“Regular and Systematic Monitoring”
Focus on the word monitoring here – ISPs, national marketing agencies, and social networks that use tracking and behaviour monitoring would all fall into Regular and Systemic monitoring.
3) Where CORE activities involve large-scale processing of sensitive personal data
“Core activities’ can be considered as the key operations necessary to achieve the goals of organisations; for instance, promoting excellence and providing guidance, insight and networking for members in a certain field. Now, you may process a lot of sensitive personal data for equalities purposes, but that’s not your core activity.
This one is trickier as what constitutes “large-scale” isn’t defined by the GDPR and instead left as derogations for the UK to decide. I expect and hope clarity will emerge as the UK data protection bill becomes law.
The Article 29 Working party has provided examples of the type of organisations that would certainly fall into this category:
- processing of travel data of individuals using a city’s public transport system
- processing of customer data in the regular course of business by an insurance company or a bank
- processing of personal data for behavioural advertising by a search engine
*If you don’t need a DPO then GDPR does not recommend that you have one.
If you do, it will be as if the requirement was mandatory*.
There are reports of a DPO shortage of roughly 28,000 although the veracity of this story is unproven. However, salaries have been seen approaching 100k for DPOs, therefore it seems likely if you recruit externally – it won’t be cheap.
Equally, if you’re a smaller organisation finding someone suitably qualified internally will be challenging and quite possibly disruptive. Data protection isn’t sexy! Extortionate day rates have made it so, but these will pass.
Outsourcing is a valid option but would they meet the criteria above? Can you really afford that extra cost?
If you do outsource, ensure the organisation you choose employs consultants with a history in the background of Data Protection. As a minimum – pre GDPR (2015) experience and references ready
You might however decide not to have one? This blog isn’t advocating membership bodies absolve themselves of their data protection responsibilities but perhaps call the role something else – GDPR Owner, Data Privacy Advisor, Supreme Commander of Data Protection, whatever you like? Spread the responsibilities across a working group representing the personal data lifecycle of acquisition-engagement-reinstatement (don’t forget HR & your staff data) who meet quarterly.
If you decide that you don’t need a DPO and guidance from the UK changes and you’re wrong, it seems unlikely that the ICO would enforce in so long as you have defended your decision and documented it. We have a free template that may help there if needed as well as a full sample DPO Job Description. Available via MemberWise Connect.
Food for thought…
Member360 is a consultancy that supports trade bodies and membership associations throughout the UK; delivering informed advice for the sector’s key challenges and opportunities.