It could end up being a million-dollar question: When do you need a DPO for your business?
Back in 2018, GDPR was dominating headlines, gate-crashing boardroom agendas, and causing sleepless nights for many business owners. There was a flurry of activity as organisations scrambled to create new privacy policies and tried to figure out how they would deal with an expected increase in data erasure requests, all in a bid to check the compliance box.
But in many cases, it still wasn’t enough.
To date, the UK’s data protection watchdog – the Information Commissioner’s Office (ICO) – has handed out 952 fines for non-compliance with GDPR, totalling over €1.5bn. In the first quarter of 2021 alone, the ICO received over 2,500 reports of data-related incidents.
DPOs can significantly improve your level of compliance with GDPR and reduce the risk of being on the receiving end of a fine. If you haven’t yet appointed one, read on to discover how you might benefit from appointing a DPO for your business.
What are a DPO’s responsibilities?
The primary role of a DPO is to oversee an organisation’s personal data security and the associated compliance with data privacy legislations, which includes GDPR.
The ICO states that DPOs play a key role in establishing the necessary governance and accountability for the protection of personal data.
In practical terms, a DPO has a wide range of responsibilities, which include:
- Advising: Providing expert advice across an organisation on how to process personal data.
- Monitoring: Coordinating compliance reviews, including Data Protection Impact Assessments (DPIAs), against relevant data privacy legislations.
- Communicating: Acting as the primary point of contact with staff, customers, suppliers, the ICO and other regulatory bodies in relation to data privacy.
- Reporting: Highlighting critical data privacy risks to the board and planning remediation activities.
Can’t the Chief Information Security Officer (CISO) cover a DPOs responsibilities?
While the responsibilities of a CISO and DPO seemingly complement each other, there are potential conflicts of interest that can arise, should one individual take on both roles.
A CISO defines policies and implements processes and technologies to maintain the security of IT systems and assets for a business. For example, deciding what data is recorded within security logs and determining where to back-up data to.
However, decisions made by a CISO can easily fail to meet privacy requirements. For example:
- Do you have consent to capture and analyse geolocation data from clients when they login?
- Are system backups being stored in a location outside the UK or EU.
If your DPO does hold another role within your business, you must ensure that this does not allow them to determine the purpose and/or means for processing personal data. In 2020, the Belgian Data Protection Authority (DPA) imposed a fine of €50,000 in a case where a DPO was deemed to perform a conflicting function.
An easy and cost-effective way to ensure there are no conflicts of interest is to outsource your DPO role to an independent expert.
Is it a legal requirement to have a DPO?
GDPR applies to any organisation that collects data on citizens that reside within the European Union (EU). It doesn’t matter how big you are, how much data you collect or if you are located outside the EU. If you offer goods/services to the EU, or even monitor its citizens’ behaviours’, GDPR compliance is a legal requirement.
However, the appointment of a DPO isn’t necessarily a legal requirement.
When must a DPO be legally appointed?
Under Article 9 of the GDPR, it states you must appoint a DPO when your ‘core activities involve processing special category data on a large scale or involve regular and systematic monitoring of individuals:
Core activities: relates to personal data that is processed to help achieve your business objectives. It does not relate to personal data processed for secondary purposes, like payroll.
Special category data: defined by the ICO as:
- Personal data revealing racial or ethnic origin.
- Personal data revealing political opinions.
- Personal data revealing religious or philosophical beliefs.
- Personal data revealing trade union membership.
- Genetic data.
- Biometric data (where used for identification purposes).
- Data concerning health.
- Data concerning a person’s sex life.
- Data concerning a person’s sexual orientation.
Large scale: you should consider the number of data subjects, volume of personal data, range of data items to be processed, geographical extent of your activity and the duration of the processing.
Regular and systematic monitoring: includes all forms of tracking and profiling both online and offline behaviours (think IP address, cookie data and RFID tags).
The ICO provides this useful questionnaire to help you determine whether you need to appoint a DPO. We recommend presenting the results from this at an appropriate executive meeting to create a formal record of the decision.
If you conclude your business does not need to appoint a DPO, it’s still good practice to record your decision for accountability purposes. Alternatively, you may still decide to voluntarily appoint a DPO, for example if you’re planning ahead for future expansion, or as a way to demonstrate good governance to prospective investors.
Who can be a DPO? And can a DPO be someone from outside of your organisation?
The regulations stipulate that you must appoint a single DPO. They can be a member of staff or a contracted third-party, which means a DPO can be both an individual or an organisation. Furthermore, in some cases several organisations can appoint a single shared DPO. Whoever you select, it’s important to ensure they are independent and report directly to the Board.
How to appoint a DPO
Appointing a DPO can be challenging, particularly since it is a relatively new role for many businesses. In addition, there are no formal qualifications to define a DPO. But while explicit guidance isn’t given on precise credentials, best practice is to ensure your DPO has:
- Skills that are proportionate to the type of data processing your organisation performs.
- In-depth knowledge of data protection law – not just GDPR.
- Good knowledge of your industry or sector.
- An understanding of your organisation’s data protection needs and processing activities.
If you’re uncertain of where to start, the ICO has published a handy 16-point checklist.
Talk to Cypro about a DPO for small businesses
It’s not enough to check the box. Compliance is complex and comes with high costs. According to a report from PwC, nearly 9 in 10 (88%) SMEs spend over $1m to maintain their GDPR compliance – this rises to $10m for larger organisations.
Contact us to discuss how CyPro can support you in filling the critical DPO role in your business.