Why Appointing a DPO from within could put you at risk

Handing data protection responsibilities to an existing employee...

Posted by Nexus Protect

Wed 04th, Jul

Faced with the challenge of appointing a Data Protection Officer (DPO), many businesses' first thought is to look internally, handling data protection responsibilities to an existing employee. Yet doing so could do more harm than good to their GDPR compliance.

For some businesses, hiring a Data Protection Officer is a necessity, an essential part of the process of meeting the legal requirements laid down in the European General Data Protection Regulation (GDPR) (UK Data Bill 2018).

For others, it's simply a worthwhile addition to the team, a means of implementing GDPR-recommended best practice and proving to customers, stakeholders, and employees alike that they're taking data protection seriously.

Either way, the journey towards naming an official DPO can often prove to serve up just as many challenges as it looks to solve.

How do you find someone who knows your business and your data well enough to carry out the job effectively?

How you find someone who combines that first-hand knowledge of your enterprise with a deep understands of GDPR and other data protection regulation?

More importantly, how do you find someone who has all the necessary knowledge and data protection know-how yet won't prove to stretch your already limited resources.

For some businesses, the immediate answer seems obvious:

After all, who better to trust the management of your GDPR compliance at the highest level than someone already firmly established in your organisation?

That's before we mention the fact that adding DPO responsibilities to the workload of an existing employee can prove significantly more cost-effective than going through the whole hiring process to bring in someone from outside the business.

Yet as easy as it seems on the surface, appointing an internal DPO isn't always so straightforward.

At NexusProtect, we work with businesses throughout the UK to help them manage DPO responsibilities in a way that proves both cost-efficient and effective in ensuring a holistic approach to GDPR right across the board.

Here, we explain why appointing a Data Protection Officer from within your organisation may prove more difficult than you might think.

First though, let's go back to basics:

 

What is a Data Protection Officer? Does my business really need one?

 

 In a nutshell, a Data Protection Officer is an officially named person responsible for overseeing the GDPR compliance of the organisation appointing them. If you hire a DPO, they'll be the person who supports the data lead / controller who responds to Data Subject Access Requests, who ensures that all your compliance measures are sufficient and effective and -in a worst-case scenario- who reports a data breach to the relevant governing body. In this case, that would be the Information Commissioner's Office (ICO).

Hiring a DPO isn't compulsory for every business or organisation. Article 37 of the GDPR state that your organisation will only be required to legally appoint a DPO if:

You're a public authority (except for courts acting in a judicial capacity)

Your core activities require "large-scale, regular and systematic monitoring of individuals

Your core activities consist of “large-scale processing of special data categories of data or data relating to criminal convictions and offences.

That being said, the Article 29 Data Protection Working Party does recommend hiring a DPO as a means of ensuring best practice.

The DPO must:

Be free to carry out their duties independently, with no influence from management or trustees
Carry out those duties at board level, reporting only to the highest level of seniority within the organisation
Be able to carry out their DPO duties without carrying out existing operational duties which serve as a clear conflict of interest.

It's at this point when we start to see clear problems with appointing an internal DPO.

Avoiding a conflict of interest

When it comes to the responsibilities of a Data Protection Officer, a conflict of interest is likely to arise in any one of two situations:

1: When the DPO's other responsibilities involve defining the purposes and means of processing the very same personal data that they are responsible for governing the protection of.

2: When the DPO's other responsibilities involve putting the interests of the business before the protection of personal data.

For example, you couldn't appoint your existing marketing manager as DPO as they are typically responsible for determining what data is processed and why and using that data first and foremost to help the business increase sales. 
Likewise, since your IT Manager, Chief Technology Officer (CTO), and IT Security Manager are also unlikely candidates for the position since their existing roles are likely to be concerned -at least at some level- with managing data security measures.

Again, this serves as a conflict of interest since the DPO is responsible for determining whether those same measures are up to scratch in terms of ensuring frictionless compliance with GDP the Information Commissioner's Office says:

"Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected."

One of these 'sufficient guarantees' made by the processor is that -where necessary- they have appointed a DPO. This also applies to any sub-processors that are hired to carry out the processing work.

As a controller, you should be confident that an appropriate person has been appointed to the role of DPO and that any processors (and their sub-processors) are meeting GDPR requirements, as their failure to do could still result in fines for your organisation.

So far, we've considered the dangers in appointing an existing member of your workforce to the role of Data Protection Officer, all of which has likely left you with one very important question you need answering:

If hiring internally is going to create more problems than it solves, then what's the alternative?

The answer is simple, and is presented to you in GDPR Article 37(6)

"The data protection officer may be a staff member of the controller or processor or fulfil the tasks on the basis of a service contract."

In other words, there's no need to risk a potential conflict of interest by hiring an existing employee when you can outsource the work of a DPO to a third-party.

Not only does this negate all the potential pitfalls of an internal appointment, but it also ensures that the person carrying out DPO services on your behalf can make the most of their position outside the company to remain fully impartial and independent, a key requirement of the GDPR requirements.

At NexusProtect, we offer a comprehensive GDPR and DPO service, to companies throughout the UK, combining years of experience in helping organisations to meet data protection requirements with expertise into the most effective, affordable, and practical methods of ensuring frictionless GDPR compliance.

The result is that our clients not only ensure they meet all the necessary GDPR requirements but that they do so in a way that provides a long-term, tangible benefit to their day-to-day operation.

Leave a comment

Why Appointing a DPO from within could put you at risk

Wed 04th, Jul

Handing data protection responsibilities to an existing employee...

Suing for breach of contract

Wed 04th, Jul

White Collar Legal's blog on Suing for Breach of Contract

5 minutes with...

Fri 29th, Jun

Christina Smith, Customer Service Executive at Liverpool John Lennon Airport

The European Investment Bank: What next for Infrastructure Finance?

Fri 29th, Jun

Will Waller, Director - Head of Futures at Arcadis, looks at the implications for future investment in UK infrastructure and possible alternatives post Brexit.

5 minutes with...

Fri 22nd, Jun

Gerry O'Leary, General Manager at Arriva's Southport Depot

5 minutes with...

Fri 15th, Jun

Chris Witterick, Head of Operations at LAB by Capacity

5 minutes with...

Fri 08th, Jun

Gregory Kearns, Sales & Marketing Assitant at The Brain Charity