Data regulations have always presented organisations with difficulties, but the advent of the European General Data Protection Regulation (GDPR) in May means these burdens are about to increase substantially.
Covering all the personal data of EU citizens anywhere, GDPR imposes numerous obligations including the requirement for many companies to appoint a Data Protection Officer (DPO). Since this is a new role and a new set of regulations, organisations of all sizes will likely be uncertain as to whether they need a DPO, what the job involves and who can do it. By the time they have worked it out, it could be too late.
Who does need a DPO? The majority of organisations
Article 37 of the GDPR specifies quite a long list of organisations that must appoint DPOs. This includes: all public authorities, with the exception of courts; any organisation carrying out systematic monitoring of individuals on a large scale; any company where its core activities involve the processing of data relating to criminal convictions and offences, or what are termed “special categories” such as genetic data, health data, racial origin or sexual orientation.
This will of course excuse many organisations, yet even where the GDPR does not specifically require the appointment of a DPO, the ICO and other enforcement bodies regard the creation of the post as a matter of good practice. In addition, any organisation deciding it does not need a DPO should consider how long it will stay on the right side of the regulation. After all, even if an organisation does not need a DPO, it must still fulfil the same responsibilities – meaning a decision not to appoint a DPO can actually make fulfilling GDPR obligations harder.
With such a wide range of responsibilities, who is qualified?
A DPO's responsibilities are enormously wide-ranging. In short, it involves supervising all data within a business that is subject to GDPR rules. But this simple definition hides the mammoth scope of the task. It will include monitoring the collection of data, justifying its possession, assuring secure storage, auditing vulnerabilities and in many cases overseeing deletion of valuable material.
This breadth begs another question – who is qualified to be a DPO? The requirements can make the DPO's job description sound like some kind of data protection superhero, capable of translating legal requirements into both processes and technical needs, overseeing awareness-raising and staff training, all while empowering and not restricting the company's wider vision.
And in case this wasn't enough, it stands to reason – and is in fact specifically mentioned in the GDPR guidelines – that the more complex or high risk the data processing activities, the greater the expertise of the DPO will need to be.
Not a role for Information security staff
This is a demanding set of responsibilities and often the confusion between privacy and security means they are handed to those responsible for security, which is the wrong approach. This is because anyone with an Information security remit is charged with protecting the company and its data, whereas the responsibility of the DPO is to protect the interests of the data subject, even if these appear to clash with those of the company.
For a DPO there should be no conflicts of interest with any other activities in the organisation and if a breach occurs, a report must go to the authorities – it cannot be a matter for debate.
Choosing the right alternative
When the role is reviewed, it is a miracle anyone wants to be a DPO. This hardly makes recruitment easy, especially as the GDPR deadline approaches and qualified personnel are in short supply.
The complexities, the demands of the job, the skills shortage and the cost of appointment – all these factors will inevitably lead to a more pragmatic approach where organisations rely on external expertise – a “DPO-as-a-service” concept.
There is a range of options for such input, ranging from lawyers to management consultants. But despite what many of these service providers may claim, meeting ongoing requirements is not solved with an audit and list of recommendations. This will enable only a quick fix, and not ongoing observance. This requires a far more rigorous understanding of the way data comes into and moves through a business, including, but certainly not limited to, the technology involved.
Indeed, where an organisation is advanced enough to have already moved to the cloud, the additional dynamic to data usage that the cloud brings would logically make cloud providers the more suitable partner – provided they are not only cloud experts, but also genuine specialists in data management.
Many cloud providers purport to accommodate data management and privacy in their services, but few in fact have the history, knowledge or expertise to back it up. For many, data management is considered almost an add-on, in much the same way as an additional service such as back-up or disaster recovery.
In fact, only cloud providers that have built their original services around data management principles rather than the cloud basics of flexibility, uptime and scalability are suitably qualified to offer data management services – and DPO-as-a-Service most of all.
This is a rare breed of provider that is simultaneously capable of advising on and implementing cloud strategy while also drawing on longstanding expertise in data management and surrounding legislative frameworks, including GDPR. Only a provider with this level of experience and insight can offer immediate access to both consultancy and sophisticated tools that assist in fulfilling obligations on an ongoing basis.
Businesses are quite rightly concerned about the whole question of whether they need a DPO, and are very sensibly seeking external support before they run up against the May 25 deadline. When a business's data is located in the cloud, it is only natural for the cloud provider to be consulted for advice on data management. But that should only happen if that provider genuinely has a relevant track record, along with focus and true expertise.
Contributed by Sophie Chase-Borthwick, Global Lead – GDPR Services, Calligo.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.