GDPR Compliance: Filling the DPO Position

Photo by Samuel Zeller on Unsplash

With just over a month to go until the EU’s General Data Protection Regulation (GDPR) goes into effect, organizations around the world are accelerating their readiness efforts. For those required to designate a data protection officer (DPO), filling this position with the right combination of skills, knowledge, and experience should rank high on the list of issues to address between now and May 25. (If you’re not sure whether your organization needs a data protection officer, refer to our post “GDPR Compliance: Does My Company Need a DPO?”)

The DPO’s Required Tasks

According to Article 39 of the GDPR, the DPO is required to execute “at least” the following duties:

  • Informing and advising the data controller or processor and its employees of their obligations related to GDPR and other EU member state data protection laws
  • Monitoring compliance with GDPR and member state data protection laws as well as with internal policies related to the protection of personal data
  • Monitoring performance of data protection impact assessments (DPIAs)
  • Cooperating with the supervisory authority and acting as the authority’s point of contact on issues related to the processing of personal data

In addition to these tasks, the Article 29 Data Protection Working Party (WP29) — the interpreting body for the GDPR — states, “It is crucial that the DPO is involved from the earliest stage possible in all issues relating to data protection.”

One Title, Many Roles

On the subject of the DPO’s qualifications, Article 37 of the GDPR states only that he or she “be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.” Successful execution of these tasks would require the DPO to have expertise in a broad array of disciplines, including the following:

  • Master Data Management: Your DPO must have a deep understanding of your company’s data processing activities, the methods being used to process personal data (both internally and via third parties), and the business reasons for doing so.
  • Data Policy Development: Compliance with GDPR requires developing new policies to ensure that all requirements become embedded in the organization’s day-to-day activities.
  • Enterprise Security and Risk Management: Article 32 of the GDPR requires that all data processors “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” Therefore, the DPO must have significant expertise in the area of data security procedures and keep up with the continuously changing cyberthreat landscape.
  • System Auditing: The DPO must have the necessary skills to evaluate systems that process personal data and perform a gap analysis to determine what needs to be done to achieve compliance.
  • Communication and Training: Once the necessary data protection measures are in place, the organization must communicate the new policies and procedures and train all employees whose work is impacted. As the individual charged with ensuring compliance, the DPO should be involved in developing these communications and training programs.

Finding the Right Mix

Given the breadth of skills and experience required, it can be difficult if not impossible to find a single individual capable of executing all the DPO’s tasks equally well. While some duties — such as serving as a single point of contact for authorities — must be filled by an individual, others require coordination with a team of individuals, either internal or external.

Assigning an internal team to execute these duties may appear to be the obvious choice; however, this approach has its limitations. First, you may not find all the required skills in your current employee base. Second, any team member tapped for GDPR-related tasks will probably have other responsibilities to fulfill … and when their plates fill up with other work, compliance duties could be the first to be relegated to the back burner. Finally, any turnover in personnel will require covering duties while the person is being replaced and training the new team member, requiring additional time and resources.

By engaging a third party with proven expertise in GDPR readiness, organizations have the opportunity to cover the DPO’s duties while avoiding the shortcomings of the internal approach. An outside firm can provide the full array of skills, expertise, and experience needed to address the GDPR’s vast array of requirements. Because they are dedicated to your compliance needs, they can ensure that all duties are executed promptly and correctly, regardless of what else may be happening within your company. And they can ensure the continuity required to maintain alignment with the GDPR requirements that apply to your organization.

Choosing the Right Partner

When choosing a partner to help address the execution of your DPO’s duties, the first thing to look for is deep knowledge of the GDPR and experience in helping clients work towards compliance. Your partner should be thoroughly versed in all the regulation’s requirements and should understand exactly how it applies to your organization.

The right partner will also fill the wish list of DPO qualifications listed above (see “One Title, Many Roles”). Make sure they have a successful track record in critical areas such as master data management, regulatory compliance, data security and risk assessment, and other areas that relate to your DPO’s job description.

While the GDPR gives explicit instructions for certain organizations to appoint a data protection officer, it does not require that every aspect of the job be performed by a single person. In fact, as we discussed, the broad range of skills and experience requirements make it highly unlikely that an individual can offer all the required qualities, let alone have the time to fulfill all duties working alone. Partnering with a third party allows organizations to fill the DPO’s skills and experience gaps while also offering the flexibility and consistency they need — not only to be ready for May 25, but also to make GDPR compliance a part of their regular operations.

If you have any questions about how to prepare for GDPR, give us a call.

Jill Reber, April 2018