Do you need to employ a data protection officer?

A keyboard key displaying a police figure representing the data protection watchdog
(Image credit: Shutterstock)

It's important in today's age that organisations assess whether they're compliant with the EU's General Data Protection Regulation (GDPR), and the Data Protection Act 2018 in the UK. One way of doing this is by nominating a data protection officer (DPO) a role tasked with ensuring that an organisation adheres to data protection principles in everything it does.

After coming into force on 25 May last year, the toughest data protection regulations written to date have changed the businesses address data collection and management. GDPR introduced several important principles and extended several others, such as in the area of subject access requests (SARs). The right to be forgotten, meanwhile, ensures consumers and citizens have the right to ask for information held by organisations to be deleted, as well as the right to ask for data to be changed if inaccurate, among other rights.

Organisations which do business with the EU must make sure they audit the data collected, and one of the best routes to achieving this is through appointing an individual under whose remit this falls, namely the DPO. Their responsibilities would also involve assessing how data is stored and used, and how it migrates from one location to another. Security is also an essential factor, as the DPO must ensure the data is safeguarded, and that the risks of infiltration or theft are minimised.

Many large enterprises had previously employed full-time DPOs to oversee data protection policies and processes. Under GDPR, however, certain organisations in the public sector, or those which deal with certain kinds of data processing, must hire a DPO in order to remain compliant. For other organisations, however, it's not mandatory. Each business, therefore, must assess first whether a DPO is required, and if not, whether it would bring benefits, should the budget allow.

The goalposts are shifting already

There exists an assumption among many that their businesses are too small to be affected by GDPR, but it's not the case. All organisations must prove they're compliant - whether a sole trader or those which employ hundreds or thousands of employees. Data protection consultant, Mandy Webster explained that the first draft of GDPR only required a company to hire a DPO if they employed at least 250 staff, but that's changed now to apply to all businesses if they process masses of data.

"Now it depends on the risk in the process you're doing. You might be a small business [processing] sensitive data about people's health, race, religion or political beliefs. Maybe you're profiling, monitoring people's behaviour, watching their online shopping baskets and going back to ask them to buy more [based on what they've bought in the past]. Perhaps you're marketing to people using your website based on what you know of them through Google Analytics. If so, you'll need a designated data protection officer."

Hiring a DPO shows that you're committed to complying with the law, and have put measures in place to mitigate any potential mistakes. Should you infringe the regulations, your defence will be far weaker if you can't show that you've done all you can to act in a responsible manner.

"It's very much about accountability," said Louise Clarke, head of recruitment services at Crimson. "The business [needs] evidence that they are both compliant and also have the necessary training and processes in place to ensure that data protection and data policy becomes a robust and scalable part of their business." Consequently, employing your own DPO, said Clarke, is "very much around best practice and ensuring legal compliance but, more importantly, [showing] that you as a business are seeking to continuously improve that, which is all that can be expected."

Internal appointments

Many of the companies that Clarke liaises with look to promote internally if they can. "They want to ensure they have got the best available talent and will weigh up if it's feasible for them to recruit and train within or whether recruiting an expert from outside the industry would be the best option."

There is a third way adding the task to an existing employee's list of responsibilities but this isn't always possible as many roles will be fundamentally incompatible with that of the DPO.

"The chief executive is making decisions about how data is processed at the top end, so they shouldn't be the designated DPO," said Webster. "The head of finance is conflicted out because [the DPO] needs to be independent of the cost of things if they're going to recommend courses of action. Similarly, the head of IT needs to spend their budget on IT, and can't be pulled in different directions because they're thinking about compliance instead."

It's no less complicated in the public sector. For example, a school's entire senior management team will be conflicted out because they need to monitor and track their pupils two tasks that are prescribed within both GDPR and the Data Protection Bill, which is currently working its way through Parliament.

Looking beyond your team

Looking beyond your existing team inevitably means you will need to trade familiarity with the way your company works for strong skills elsewhere. Cybersecurity experience (or a related qualification) is particularly sought after in a potential DPO, along with a background in heavyweight data management.

Clarke's clients, who task Crimson with finding staff for key technical roles, increasingly want to find candidates who have experience of delivering large-scale projects with a focus on data protection, as well as experience of access management, technical project management across application and infrastructure security, analytical skills, and verifiable QSA, GDPR, CISA or similar qualifications. The role itself, once they come onboard, will be very much one of management, organisation, and getting buy-in from the rest of the organisation.

Naturally, with so many demands, so little time to employ someone before the regulations kick in, and a shortage of several tens of thousands of potential candidates in the UK and across Europe, attracting the right person doesn't come cheap. Clarke said that salaries have been increasing as companies realise that it's something they need to take seriously, and Webster noticed an uptick in interest as far back as last July.

"I have an exhibition stand at the Institute of Chartered Secretaries' annual conference, which tends to be my target market," she explained. "Normally, I talk to around ten people in the day but last year people were snatching leaflets off the stand. The level of panic was phenomenal, and that's the tip of the iceberg." While FTSE 100 and 250 companies have long been aware of the potential issues, "it's filtering down to smaller companies. I don't think it's hit them yet, but it will."

Rules and regulations

The more data we gather, the more pressing are the requirements for exactly the kind of updated rules that are currently being debated, but it's important that an organisation continually assesses whether it's in compliance. Webster runs workshops with senior management from data-centric organisations. Often, she says, there are "internal surprises, where they're surprised at how much data they have got... and people in different departments aren't aware of what each other is doing.

A dedicated DPO would ensure that, even if not everyone knew how much data the company was holding, someone would and they would also have responsibility for keeping that retention and use legal. In many organisations, data retention is quite passive, which in itself would still be no defence against a charge of infringement. Webster frequently encounters delegates who think that archiving their data to a secure drive will suffice, until she asks if those same contacts are also in her Outlook inbox, which, she points out, is insecure and often stored indefinitely.

Finding the ideal candidate

Although the DPO will work closely with IT, Clark believes that the role is fundamentally administrative. "They're having to govern and make sure that people are effectively doing what they should to keep on top of the tasks [that lead to] compliance," she said. "Equally, in my opinion, it has to be someone who is quite affable and able to get really strong buy-in within the business. Those skills, while they can [seem] black and white from a 'doing' perspective, are so much more subtle than that."

To get buy-in, the DPO needs to understand the company culture, and finding the perfect candidate will often be an organic process, in which a coming together of the best talents within an organisation reveals that the ideal choice is closer at hand than expected.

"Our compliance and risk person has evolved with the company," Clarke said. "[She understands] our best practices and processes as a recruitment business, and been part of the sales support environment for years. If we were looking at someone, she would be the ideal candidate for us."

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.