Complying with the EU GDPR (General Data Protection Regulation) is mostly about hard work and organisation, but there’s also a little bit of luck involved – at least when it comes to appointing a DPO (data protection officer).
The position, which is mandatory for many organisations under the GDPR, has caused a massive spike in demand for data protection experts. Unless the perfect candidate falls into your lap, you’ll probably spend a lot of time looking for someone who meets all the requirements.
Who needs a DPO?
Organisations within the scope of the GDPR will need to appoint a DPO if they:
- Are a public authority or body;
- Regularly and systematically monitor data subjects; or
- Process special categories of data on a large scale.
These aren’t the only organisations looking for DPOs, though. In 2017, the WP29 (Article 29 Working Party) released guidance advising that all organisations appoint a DPO as a matter of best practice.
What a DPO does
Essentially, a DPO monitors an organisation’s application of the GDPR and ensures that it remains compliant. This includes:
- Advising the organisation’s staff on their data protection responsibilities;
- Monitoring the organisation’s data protection policies and procedures;
- Advising management on the necessity of DPIAs (data protection impact assessments);
- Serving as the point of contact between the organisation and its supervisory authority regarding data protection issues; and
- Serving as the point of contact for individuals on privacy matters, such as DSARs (data subject access requests).
A full list of the DPO’s responsibilities are outlined in Article 39 of the GDPR.
Why is it so hard to find a DPO?
DPOs must be experienced data protection experts. Although they don’t need to hold specific qualifications, they are expected to be able to demonstrate their knowledge of data protection law and the GDPR in particular.
There aren’t many people who meet these criteria. A DPO can be appointed externally or hired in-house, but either way, their skills will be in high demand and you’ll need to persuade them that your organisation is the right option. You might have an advantage when it comes to an in-house candidate, but you need to ensure that there isn’t a conflict of interest between their responsibilities as a DPO and their existing position.
DPO as a service
If you’re worried about finding a DPO, there is another option: DPO as a service. This practical and cost-effective solution takes the hassle out of searching for a DPO. One of our data protection experts will fill the role for you, providing guidance whenever you need it.
You’ll be able to:
- Access independent DPO expertise not available internally;
- Be sure that your DPO has no conflict of interest;
- Receive best-practice advice on achieving and maintaining GDPR compliance; and
- Access GDPR training and compliance solutions.