Why Appointing a DPO from within could put you at risk

Handing data protection responsibilities to an existing employee...

Posted by Nexus Protect

Wed 04th, Jul

Faced with the challenge of appointing a Data Protection Officer (DPO), many businesses' first thought is to look internally, handling data protection responsibilities to an existing employee. Yet doing so could do more harm than good to their GDPR compliance.

For some businesses, hiring a Data Protection Officer is a necessity, an essential part of the process of meeting the legal requirements laid down in the European General Data Protection Regulation (GDPR) (UK Data Bill 2018).

For others, it's simply a worthwhile addition to the team, a means of implementing GDPR-recommended best practice and proving to customers, stakeholders, and employees alike that they're taking data protection seriously.

Either way, the journey towards naming an official DPO can often prove to serve up just as many challenges as it looks to solve.

How do you find someone who knows your business and your data well enough to carry out the job effectively?

How you find someone who combines that first-hand knowledge of your enterprise with a deep understands of GDPR and other data protection regulation?

More importantly, how do you find someone who has all the necessary knowledge and data protection know-how yet won't prove to stretch your already limited resources.

For some businesses, the immediate answer seems obvious:

After all, who better to trust the management of your GDPR compliance at the highest level than someone already firmly established in your organisation?

That's before we mention the fact that adding DPO responsibilities to the workload of an existing employee can prove significantly more cost-effective than going through the whole hiring process to bring in someone from outside the business.

Yet as easy as it seems on the surface, appointing an internal DPO isn't always so straightforward.

At NexusProtect, we work with businesses throughout the UK to help them manage DPO responsibilities in a way that proves both cost-efficient and effective in ensuring a holistic approach to GDPR right across the board.

Here, we explain why appointing a Data Protection Officer from within your organisation may prove more difficult than you might think.

First though, let's go back to basics:

 

What is a Data Protection Officer? Does my business really need one?

 

 In a nutshell, a Data Protection Officer is an officially named person responsible for overseeing the GDPR compliance of the organisation appointing them. If you hire a DPO, they'll be the person who supports the data lead / controller who responds to Data Subject Access Requests, who ensures that all your compliance measures are sufficient and effective and -in a worst-case scenario- who reports a data breach to the relevant governing body. In this case, that would be the Information Commissioner's Office (ICO).

Hiring a DPO isn't compulsory for every business or organisation. Article 37 of the GDPR state that your organisation will only be required to legally appoint a DPO if:

You're a public authority (except for courts acting in a judicial capacity)

Your core activities require "large-scale, regular and systematic monitoring of individuals

Your core activities consist of “large-scale processing of special data categories of data or data relating to criminal convictions and offences.

That being said, the Article 29 Data Protection Working Party does recommend hiring a DPO as a means of ensuring best practice.

The DPO must:

Be free to carry out their duties independently, with no influence from management or trustees
Carry out those duties at board level, reporting only to the highest level of seniority within the organisation
Be able to carry out their DPO duties without carrying out existing operational duties which serve as a clear conflict of interest.

It's at this point when we start to see clear problems with appointing an internal DPO.

Avoiding a conflict of interest

When it comes to the responsibilities of a Data Protection Officer, a conflict of interest is likely to arise in any one of two situations:

1: When the DPO's other responsibilities involve defining the purposes and means of processing the very same personal data that they are responsible for governing the protection of.

2: When the DPO's other responsibilities involve putting the interests of the business before the protection of personal data.

For example, you couldn't appoint your existing marketing manager as DPO as they are typically responsible for determining what data is processed and why and using that data first and foremost to help the business increase sales. 
Likewise, since your IT Manager, Chief Technology Officer (CTO), and IT Security Manager are also unlikely candidates for the position since their existing roles are likely to be concerned -at least at some level- with managing data security measures.

Again, this serves as a conflict of interest since the DPO is responsible for determining whether those same measures are up to scratch in terms of ensuring frictionless compliance with GDP the Information Commissioner's Office says:

"Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected."

One of these 'sufficient guarantees' made by the processor is that -where necessary- they have appointed a DPO. This also applies to any sub-processors that are hired to carry out the processing work.

As a controller, you should be confident that an appropriate person has been appointed to the role of DPO and that any processors (and their sub-processors) are meeting GDPR requirements, as their failure to do could still result in fines for your organisation.

So far, we've considered the dangers in appointing an existing member of your workforce to the role of Data Protection Officer, all of which has likely left you with one very important question you need answering:

If hiring internally is going to create more problems than it solves, then what's the alternative?

The answer is simple, and is presented to you in GDPR Article 37(6)

"The data protection officer may be a staff member of the controller or processor or fulfil the tasks on the basis of a service contract."

In other words, there's no need to risk a potential conflict of interest by hiring an existing employee when you can outsource the work of a DPO to a third-party.

Not only does this negate all the potential pitfalls of an internal appointment, but it also ensures that the person carrying out DPO services on your behalf can make the most of their position outside the company to remain fully impartial and independent, a key requirement of the GDPR requirements.

At NexusProtect, we offer a comprehensive GDPR and DPO service, to companies throughout the UK, combining years of experience in helping organisations to meet data protection requirements with expertise into the most effective, affordable, and practical methods of ensuring frictionless GDPR compliance.

The result is that our clients not only ensure they meet all the necessary GDPR requirements but that they do so in a way that provides a long-term, tangible benefit to their day-to-day operation.

Leave a comment

5 minutes with...

Fri 14th, Sep

Claire Currie, Partner and Private Client Solicitor at Kirwans Solicitors

Demand for transport is changing

Fri 31st, Aug

As ArrivaClick launches in Liverpool, we caught up with Asiya Jelani, Director, ArrivaClick, to find out more about the scheme and the wider social and economic benefits to the Liverpool city region.

Trading for the future: preparing for all eventualities

Fri 31st, Aug

Our Chairman Neil Ashbridge takes a critical look at the latest government announcements impacting on future trade and exports.

5 minutes with...

Thu 30th, Aug

Dave Drury, Mott MacDonald’s Director of Transport Planning for the North of England and Scotland

5 point plan to speed up your computer

Wed 29th, Aug

We all know that computers often slow down over time, but why is this and what can you do about it?

Celebrating Excellence in Business

Fri 24th, Aug

Join us at this year’s Annual Dinner and Awards

5 minutes with...

Wed 15th, Aug

Neil Bradley, Partner Manager at Growth Partners Plc

5 minutes with...

Fri 10th, Aug

Gordon Millar, Artistic Director and CEO of Unity Theatre

“Recruitment difficulties and tougher trading conditions face firms amid sluggish UK growth”

Mon 06th, Aug

BCC Quarterly Economic Survey - Looking behind the headlines