Outsourced data protection officer: why it is a business need now
April 27th, 2020
In this blog, we discuss: what is a Data Protection officer and does your business need one?
We also consider whether this requirement changes as a result of our response to the COVID19 pandemic?
In the UK, businesses must comply with the UK Data Protection Act 2018 as well as EU General Data Protection Regulations.
Both of these laws require organisations to appoint a Data Protection Officer in certain situations.
However, regardless of whether it is mandatory to have a DPO, businesses must still comply with the regulations.
How does the coronavirus crisis change this?
Is your business doing things differently in response to the measures introduced during the global Coronavirus pandemic?
For example, is new technology being used by your business or school? Are employees working from home for the first time? Is data being processed in a different way? Are you using your home wifi and mobile phones?
If the answer is yes, then you need to review your data and IT security risks.
Data protection impact assessments for new technology should be undertaken. Equally, a review of your data processing activities is necessary to identify any new data security or privacy risks.
Staff shortages due to furloughing
As a business, you may have had to furlough staff, so may not have the right skills to review data security risks. We can help by providing additional skills and resources to your business, delivered virtually and on an outsourced basis.
Are you legally obliged to have a Data Protection Officer?
Is there regular and systematic monitoring of data subjects on a large scale done in your business? Or you are a local authority or public body?
Well, you need one. And outsourcing the DPO can be a very cost-effective solution.
So, unless you only process data for family or personal reasons (see ICO definition) your business is required to comply with the regulations.
What this means in practice is that someone in your organisation needs to understand the data protection regulations. In addition, this person will have responsibility for GDPR compliance.
What is a Data Protection Officer?
A DPO is responsible for all aspects of data protection compliance within your business.
Even for small and medium-sized organisations who are obliged to have a DPO, they need someone to be responsible for compliance.
As well as this, the data protection act also stipulates that a DPO must be able to report at the highest management level. In addition to this, there should be no conflict of interest if the role is combined with another job within the company.
This means that there is a strong business case for outsourcing the data protection officer role.
Benefits of an outsourced DPO
Less training & staff costs
For small and medium-sized organisations, training a member of staff in the regulations can be costly and time-consuming. So, outsourcing the role is a cost-effective solution.
Equally, an outsourced DPO can be flexible on the amount of time spent on your organisation. It is possible to ‘flex up’ when a situation demands it, for example, if a data breach occurs.
Complies with GDPR requirements
An outsourced DPO can be independent and objective. Therefore, the business complies with a key requirement of the data protection regulations.
Keeps up to date
In order to keep up to date, a DPO must be active in the Data Protection community. He/she must keep pace with regulatory changes and continually scan for data risks in the business.
What skills are needed?
A good DPO should be able to wear many hats and have a wide range of skills.
IT and operational background
He or she must have strong IT and operational knowledge together with a detailed understanding of the data protection regulations.
Equally, some experience in understanding what ‘being compliant’ looks like is essential. Combine this with good project management skills and an ability to work across operational departments.
Compliance Audits & Reviews
It is important that the DPO can perform audits to ensure the business is compliant. Additionally, they must know when and why to conduct data protection impact assessments.
Know how to work with the ICO
Also, it is likely that the DPO will need to contact the supervisory authority in the relevant member state.
Let’s keep this simple, pragmatic and affordable!
At Data Protection 4 Business, we can offer outsourced Data Protection Officers for your organisation on a flexible basis. Our rates are reasonable, with low annual fees.
This means, we can ‘flex up’ as needed and this can be paid on an hourly or daily rate.