2023 was a record-shattering year for GDPR fines, with Meta topping the list after receiving an eye-watering £1.2bn ($1.5bn) penalty from the Irish Data Protection Commission. The role of a data protection officer (DPO) has never been more important than it is today for businesses that handle personal data.
A data protection officer is a person who is responsible for ensuring that the personal data their organization collects, holds, and processes is in compliance with data protection rules. Personal data includes information relating to identified or identifiable natural persons who can be determined from the information collected.
The UK has exited the EU, but that doesn't mean the obligation for British businesses to comply with EU law has changed. The UK has revamped its existing Data Protection Act to align with GDPR.
Seven steps to GDPR compliance General Data Protection Regulation (GDPR) GDPR and the cloud
This means that businesses that communicate with European citizens must have solid processes that ensure their company remains within the scope of the GDPR. It doesn't matter if your organization's head office is in the UK, Asia, Europe, or the US, you must follow the guidelines if you want to communicate with customers in the eurozone.
What is the main task of data protection officer
The GDPR defines the role of a data protection officer as “working towards compliance with all relevant data protection laws, monitoring specific processes, such as data protection impact assessments or the awareness-raising and training of employees for data protection, as well as collaborating with the supervisory authorities.”
The DPO is responsible for their firm's GDPR compliance posture. The officer is tasked with monitoring all data processing activities on an ongoing basis, which means ensuring operations are in line with the data laws. The role includes advising on information security, checking the compliance of forms being used to gather data, and making Privacy Impact Assesments (PIA) for departments.
Within the corporate structure, DPOs generally report directly to the highest management level within the company, which usually means the CEO or the board of directors.
The DPO acts as the company's primary point of contact with the Information Commissioner's Office (ICO) on any matters relating to data protection or data privacy.
The DPO liaises directly with the regulator during investigations if a data breach occurs within a company. If a breach is likely to adversely affect the data subject's rights and freedoms, then the DPO must alert the ICO within the GDPR-mandated 72-hour time period.
The DPO also acts as the primary liaison for employees who have questions about the company's data processing policies. The officer is the public-facing touchpoint for customers or members of the public. They are responsible for acting on any subject access requests (SARs) or rectification or deletion requests that the business may receive.
Training and awareness is another element of the role. A DPO should conduct regular training sessions and audits to ensure that staff are aware of their organization's guidelines and legal responsibilities around the handling of data.
Do you need a data protection officer?
Business activity and the amount of data you process determines the answer to this question. Not company size. Companies are legally obliged to hire a data protection officer when the processing of sensitive personal data is essential to achieving their company’s goals.
When looking at Article 4 of the European Data Protection Regulation, you will come across the term ‘data subjects’. This refers to a person such as a staff member, customer, or service provider. So, who requires a data protection officer?
Hospitals that process large sets of sensitive data, security companies that monitor public or private spaces, and recruitment agencies that hold candidate data for job hunters are examples of businesses that would need a data protection officer.
Additionally, organizations that collect and process information, specifically concerned with ethnicities, religious beliefs, trade union memberships, genetic data, biometrics, sexual orientation, and criminal offenses and convictions must appoint a DPO too.
Does a data protection officer need to be qualified
Your data protection officer can be appointed from within the company, or they can be a fresh hire from outside your company.
Of course, he or she does need to be qualified to hold the position. The legislation gives organizations a fairly free hand in deeming what qualifications are requisite for the role, however, simply stating that:
"The data protection officer shall be designated based on professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39."
So the DPO should be well-versed in data protection law and how to comply with these rules, which is one reason former lawyers and barristers are proving popular hires with businesses that have already brought one on board. They can also hold other responsibilities within the organization, which may be particularly handy for those businesses that wish to recruit for the position internally, as long as these don't create a conflict of interest with their DPO duties.
Picture: Shutterstock
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloadsNews The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
“Limited resources” scupper ICO probe into EasyJet breachNews The decision to drop the probe has been described as “deeply concerning” by security practitioners
-
Surge in workplace monitoring prompts new ICO guidelines on employee privacyNews Detailed guidance on how to implement workplace monitoring could prevent data protection blunders
-
TikTok could be hit with £27m fine for failing to protect children's privacyNews Social media firm issued with a notice from the ICO for potential violations of UK data protection laws
-
What is AdTech and why is it at the heart of a regulation storm?In-depth The UK data regulator has come under heavy fire for consistently delaying much-needed action, privacy groups say
-
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 millionNews ICO25 outlines a fresh approach that involves releasing learning materials, advice, and a new ICO-moderated discussion forum for businesses
-
Clearview AI fined £7.5m over improper use of UK dataNews Australian facial recognition firm collected 20 billion images from the internet without consent in order to build its database
-
UK data watchdog cut IT spending by £1.2 million during pandemicNews The ICO’s IT budget has been slashed by around 23% since 2019
