Faced with the challenge of appointing a Data Protection Officer (DPO), many businesses’ first thought is to look internally, handling data protection responsibilities to an existing employee. Yet doing so could do more harm than good to their GDPR compliance.
For some businesses, hiring a Data Protection Officer is a necessity, an essential part of the process of meeting the legal requirements laid down in the European General Data Protection Regulation (GDPR).
For others, it’s simply a worthwhile addition to the team, a means of implementing GDPR-recommended best practice and proving to customers, stakeholders, and employees alike that they’re taking data protection seriously.
Either way, the journey towards naming an official DPO can often prove to serve up just as many challenges as it looks to solve.
- How do you find someone who knows your business and your data well enough to carry out the job effectively?
- How you find someone who combines that first-hand knowledge of your enterprise with a deep understands of GDPR and other data protection regulation?
- More importantly, how do you find someone who has all the necessary knowledge and data protection know-how, yet won’t prove to stretch your already limited resources.
For some businesses, the immediate answer seems obvious:
Appointing a Data Protection Officer From The Existing Workforce
After all, who better to trust the management of your GDPR compliance at the highest level than someone already firmly established in your organisation?
That’s before we mention the fact that adding DPO responsibilities to the workload of an existing employee can prove significantly more cost-effective than going through the whole hiring process to bring in someone from outside the business.
Yet as easy as it seems on the surface, appointing an internal DPO isn’t always so straightforward.
At Relentless Privacy & Compliance, we work with businesses throughout the UK and International regions to help them manage DPO responsibilities in a way that proves both cost-efficient and effective in ensuring frictionless compliance with GDPR right across the board.
Here, we explain why appointing a Data Protection Officer from within your organisation may prove more difficult than you might think.
First though, let’s go back to basics:
What is a Data Protection Officer? Does My Business Really Need One?
In a nutshell, a Data Protection Officer is an officially named person responsible for overseeing the GDPR compliance of the organisation appointing them. If you hire a DPO, they’ll be the person who responds to Data Subject Access Requests, who ensures that all your compliance measures are sufficient and effective and -in a worst-case scenario- who reports a data breach to the relevant governing body. In this case, that would be the Information Commissioner’s Office (ICO) for the UK . For a full list of member states DPA please see the details here
Hiring a DPO isn’t compulsory for every business or organisation. Article 37 of the GDPR state that your organisation will only be required to legally appoint a DPO if:
- You’re a public authority (except for courts acting in a judicial capacity)
- Your core activities require “large-scale, regular and systematic monitoring of individuals
- Your core activities consist of “large-scale processing of special data categories of data or data relating to criminal convictions and offences.
That being said, the Article 29 Data Protection Working Party does recommend hiring a DPO as a means of ensuring best practice.
What Does GDPR Say About Hiring a DPO From My Existing Workforce?
Here’s the thing:
GDPR doesn’t actually say that you can’t appoint a DPO internally.
It does, however, lay out several essential requirements for how the appointed person carries out their role. For example, the DPO must:
- Be free to carry out their duties independently, with no influence from management or trustees
- Carry out those duties at board level, reporting only to the highest level of seniority within the organisation
- Be able to carry out their DPO duties without carrying out existing operational duties which serve as a clear conflict of interest.
It’s at this point when we start to see clear problems with appointing an internal DPO. Recently a German company was fined for that very reason of conflict of interest
Avoiding a Conflict of Interest
When it comes to the responsibilities of a Data Protection Officer, a conflict of interest is likely to arise in any one of two situations:
1: When the DPO’s other responsibilities involve defining the purposes and means of processing the very same personal data that they are responsible for governing the protection of.
2: When the DPO’s other responsibilities involve putting the interests of the business before the protection of personal data.
For example, you couldn’t appoint your existing marketing manager as DPO as they are typically responsible for determining what data is processed and why, and using that data first and foremost to help the business increase sales.
Likewise, since your IT Manager, Chief Technology Officer (CTO), and IT Security Manager are also unlikely candidates for the position since their existing roles are likely to be concerned -at least at some level- with managing data security measures.
Again, this serves as a conflict of interest since the DPO is responsible for determining whether those same measures are up to scratch in terms of ensuring frictionless compliance with GDPR.
Who Can I Appoint as a DPO if I Choose to Keep The Position Internal?
Just because there are certain roles within your organisation that are clearly unsuited for taking up DPO responsibilities doesn’t necessarily mean that there won’t be someone in your team suited to the position.
Providing they are sufficiently knowledgeable on GDPR and you’re confident that no conflict of interest would occur, an existing Compliance Officer, Freedom of Information Officer, or someone else in a similar position may be able to take up the post.
Remember, however, that regardless as to what level their existing position may be at within your company structure, you must be prepared to recognise your DPO as a board-level role, reporting only to the highest level of management but without allowing that management to influence any of the decisions the DPO needs to make to ensure your business is compliant.
How Does This Apply if I Use a Third-Party to Process Data?
As a data controller (an organisation who determines the reasons why personal data is processed and means of going so), it may be that you outsource your actual processing to a third-party data processor.
This could take any number of forms, from hiring an external marketing agency to run campaigns based on your mailing lists, to using online services to process your accounts and HR practices.
Whatever the case may be, you’ll find it necessary -if you haven’t already done so- to update existing contract agreements with an addendum which outlines the rules and responsibilities of both parties when it comes to protecting that personal data in accordance with the GDPR.
In offering guidance on these contracts, the Information Commissioner’s Office says:
“Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.”
One of these ‘sufficient guarantees’ made by the processor is that -where necessary- they have appointed a DPO. This also applies to any sub-processors that are hired to carry out the processing work.
As a controller, you should be confident that an appropriate person has been appointed to the role of DPO and that any processors (and their sub-processors) are meeting GDPR requirements, as their failure to do could still result in fines for your organisation.
Outsourcing DPO Services
So far, we’ve considered the dangers inherent in appointing an existing member of your workforce to the role of Data Protection Officer, all of which has likely left you with one very important question you need answering:
If hiring internally is going to create more problems than it solves, then what’s the alternative?
The answer is simple, and is presented to you in GDPR Article 37(6)
“The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.”
In other words, there’s no need to risk a potential conflict of interest by hiring an existing employee when you can outsource the work of a DPO to a third-party.
Not only does this negate all the potential pitfalls of an internal appointment, but it also ensures that the person carrying out DPO services on your behalf can make the most of their position outside the company to remain fully impartial and independent, a key requirement of the GDPR. requirements
At Relentless Privacy & Compliance, we offer a comprehensive Data Protection Officer service to companies throughout the UK and International regions , combining our years of experience in helping global organisations to meet data protection requirements with expertise into the most effective, affordable, and practical methods of ensuring frictionless GDPR compliance.
The result is that our clients not only ensure they meet all of the necessary GDPR requirements but that they do so in a way that provides a long-term, tangible benefit to their day-to-day operation.