Tag Archives: DPO

Choosing your DPO: Full-Time? Service? Consult?

I’ve noticed many SMEs running  LinkedIn ads for DPOs, who are recruiting full-time employees.  And it’s disappointing to see how often other options are overlooked. 

Which DPO Option and Benefits Suit You Best?

I think it’s important to consider all the available options before making a decision.  Yes, you could employ a Full-Time DPO for your business.  Or you could contract with DPO specialists to provide DPO as a service.  Or appoint an internal ‘non-specialist’ and support them with an external data protection consultancy or consultant.

I’ve listed below some of the benefits from these options, so that the next time you need to find a DPO, you have information to help you make an informed decision about what type of DPO you actually need, and what solution might fit you best.

1. Cost 

As with any new employee, hiring a highly qualified full-time DPO involves significant costs, especially in salary and benefits.  Outsourcing the DPO role means you only pay for the DPO services and time you use. You don’t need to consider staff benefits, holiday, sickness, appraisals. Or the time, cost and expense involved if you need to let them go. Nor do you need to be concerned about FTE overheads like office space, equipment or other resources.

2. Expertise

Internal DPOs may struggle with budget constraints and limited resources. Outsourcing can provide a more cost-effective solution with access to necessary resources as needed. An outsourced DPO service can give you more or less support month by month, depending on your needs. You can choose how much time you need, and, in any case the time required can be flexible. You can ramp it up or down depending on whether you have a large project, or simply need ongoing maintenance. And if you need an interim DPO, you can appoint a consultant with no need for long term commitment.

3. Flexibility / Scalability

Top quality DPOs (whether FTE or outsourced) are experts in data protection law regulations. But perhaps the biggest advantage to using the DPO-as-a-Service or consultancy option is that those DPOs will have gained considerable and diverse experience from working in many different industry sectors.  They see many and varied solutions to common data protection issues from the numerous clients with whom they work.  And vitally, within a team of DPOs in a consultancy, they will always be learning from each other, considering solutions based on the shared knowledge of the whole team.  And that shared knowledge becomes your company’s shared knowledge.

4. Unbiased Approach

An outsourced DPO or consultant has the advantage of being independent and unconflicted. They are able to consider your issues with fresh eyes and no bias.  This means that they can conduct unbiased audits and assessments of your data protection practices. Then help you implement any remedial actions. 

5. Internal Challenges

Full-time DPOs often face challenges such as lack of support from key stakeholders and cooperation within the organisation. Although fully engaged with the client and its goals, outsourced DPOs can navigate these challenges more effectively due to their independence. 

Conclusion

The traditional route of hiring a full-time employee may be perfect for many companies. But it’s clearly not the only solution.  So when you next need to appoint a DPO, you could state that not only full-time employees, but also DPO-as-a-Service providers or consultants are welcome to apply. 

That way you can be sure that you don’t miss out by excluding the right person by default.  And of course, you can review and interview applicants as normal and make your own decision about which individual or option fits your needs best. 

Data Compliant International

If you are looking for a DPO or supportive consultant, Data Compliant International provides DPO-as-a-Service, and data protection / privacy  consultants to a wide range of business sectors.  If you’d like to know more about how we help our clients, please take a look here.  If you would like help or assistance with any of your data protection obligations, please email dc@datacompliant.co.uk or call 01787 277742.  

Lessons from Darts: Team Dynamics in Data Protection

Teams are an essential part of life – from school to adulthood, from sports to business.  A well-functioning team leads to extraordinary achievements, whether in a local darts league or a data governance team.

The Darts Team Triumph

Consider my local darts team, which recently won the team title, along with individual singles titles. This victory wasn’t just about individual knowledge and talent; it was the result of shared goals, a strategy to achieve them, collaboration, strong mentoring, and mutual support. Each of our players’ unique skills, camaraderie and collective effort all contributed to the team’s overall success. 

Transferring Team Dynamics to Data Governance

The same principles apply to data protection governance teams. Every member of the Team must understand its overall objectives ensuring that they are responsible and accountable for data management and governance. The Team will need a framework for success, including communication and collaboration, and creating and maintaining policies and procedures around data collection, privacy, compliance, integrity and security. And it must provide regular reports to senior management who are ultimately accountable. 

Roles, Goals and Data Stewardship

Individuals within the team will take on data stewardship roles.  In essence they will oversee the entire lifecycle of personal data from collection to deletion, and be accountable for compliance and security at all stages. All team members will support each other, sharing knowledge and expertise to help manage challenges and foster a culture of continuous improvement. And each will have their own individual areas of responsibility including embedding data protection throughout their own area of the business.

Education and Continuous Improvement

Like in darts, governance team members learn from each other’s techniques, and share knowledge, best practices and insights. This knowledge is then used to help build awareness throughout the organisation about data protection and data security, and to educate employees about crucial data protection principles.

Risk Management

Sports and business both carry risks, and the team must take responsibility for identifying, assessing and mitigating them – in data governance, for example through Data Protection Impact Assessments (DPIAs).  The team must also develop and execute its response plans so that it knows how to respond if there is a data breach or security incident.

Enabling Team Leaders

Team Leaders are crucial. They are pivotal in flowing down information to their specific areas of the business – in data governance, for example, it’s helpful to have leaders from IT, HR, Marketing, Operations, Payroll and so on. It’s those Team Leaders who will then ensure that everyone in their team understands their roles and responsibilities, and who provide the resources and training so that every individual in an organisation can thrive and contribute effectively.

Conclusion

Effective teams enable the individuals in your organisation to achieve more together than they ever could alone. With a data governance team that fosters collaboration, shared problem-solving and continuous education, your organisation will benefit from strong and highly successful outcomes.

Data Compliant International

If you would like help or assistance with any of your data protection obligations, please email dc@datacompliant.co.uk or call 01787 277742.  And for more information about how to meet your Accountability and Governance obligations, please see here. 

What is a Data Protection Officer (DPO), and do you need one?

A DPO (Data Protection Officer) is an individual responsible for ensuring that their organisation is processing the data of its staff, customers, providers and any other individuals, i.e. data subjects, in compliance with data protection regulations. As of the EU-wide General Data Protection Regulation (GDPR), a DPO is mandatory for:

  1. Public authorities; and
  2. Organisations that process data
  • On a large scale; 
  • With regular and systematic monitoring; 
  • As a core activity; or 
  • In large volumes of ‘special category data,’ formerly known as ‘sensitive personal data,’ i.e. information related to a living individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health condition, sex life or sexual orientation, or biometric data.  

It may not be immediately obvious whether an organisation must have a designated DPO under GDPR. If so, it is necessary to make a formal evaluation, recording the decision and the reasons behind it. The WP29 Guidelines on Data Protection Officers (‘DPO’), endorsed by the European Data Protection Board (EDBP), recommends that organisations should conduct and document an internal analysis to determine whether or not a DPO should be appointed. Ultimately, such decision-making should always take into account the organisation’s obligation to fulfil the rights of the data subject, the primary concern of the GDPR: does the scale, volume or type of data processing in your organisation risk adversely effecting an individual or the wider public?

A DPO is not legally required

Organisations may benefit from voluntarily appointing an internal DPO or hiring an advisor – this will ensure best-practice data protection policies and practices, improving cyber security, staff and consumer trust, and other business benefits. When a DPO is designated voluntarily, they will be considered as mandatory under GDPR – i.e. the voluntarily appointed DPO’s responsibilities as defined in articles 37 and 39 of the GDPR will correspond to those of a legally mandated DPO (in other words, GDPR does not recognise a quasi-DPO with reduced responsibility). As an excerpt from the GDPR explains “if an organisation is not legally required to designate a DPO, and does not wish to designate a DPO on a voluntary basis, that organisation is quite at liberty to employ staff or outside consultants to provide information and advice relating to the protection of personal data.

However, it is important to ensure that there is no confusion regarding their title, status, position and tasks. Therefore, it should be made clear, in any communications within the company, as well as with data protection authorities, data subjects, and the public at large, that the title of this individual or consultant is not a data protection officer (DPO).

But how are the conditions that make a DPO mandatory defined under GDPR?

Large-scale processing: there is no absolute definition under GDPR, but there are evaluative guidelines. The GDPR’s WP29 guidance suggests data controllers should consider:

  • The number of data subjects concerned;
  • The volume of data processed;
  • The range of data items being processed;
  • The duration or permanence of the data processing activity; and
  • The geographical extent.

Regular and systematic monitoring: as with ‘large-scale processing,’ there is no definition as such, but WP29 guidance clarifies that monitoring involves any form of tracking or profiling on the internet, including for the purposes of behavioural advertising. Here are a number of examples of regular and systematic monitoring:

  • Data-driven marketing activities;
  • Profiling and scoring for purposes of risk assessment;
  • Email retargeting;
  • Location tracking (e.g. by mobile apps); or
  • Loyalty programmes.

 What does a Data Protection Officer do?

Article 39 of the GDPR, ‘Tasks of the data protection officer,’ lists and explains the DPO’s obligations. It explains that, as a minimum, the responsibility of a DPO is the items summarised below:

  1. Inform and advise the controller or the processor and the employees
  2. Monitor compliance with the Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
  3. Provide advice as regards data protection impact assessments and monitor performance
  4. Cooperate with the supervisory authority
  5. Act as the contact point for the supervisory authority on issues relating to data processing

 

 Harry Smithson 2019