Since the GDPR (General Data Protection Regulation) came into effect in May 2018, the international shortage of DPOs (data protection officers) has increased. The Regulation stipulates that certain organizations must appoint a DPO to monitor data protection compliance and act as a contact point for data subjects and supervisory authorities.
The appointed person must have data protection expertise, but the GDPR doesn’t specify what level of experience or qualifications are required. Many organizations may have appointed a DPO without the necessary skills to fulfill the role, leaving them open to errors and vulnerable should the supervisory authority – for the UK, the ICO (Information Commissioner’s Office) – decide to investigate. It’s also vital that the chosen DPO doesn’t have a conflict of interest, i.e. doesn’t determine the purposes and means of processing the personal data.
You will need to appoint a DPO if you:
- Are a public authority or body
- Regularly and systematically monitor data subjects
- Process special categories of data on a large scale
What about outsourcing?
The GDPR is clear that outsourcing a DPO is an option, which should be considered when an organization doesn’t have a privacy department. Some benefits of outsourcing the DPO role:
- Cost effective when compared to hiring a privacy professional full time
- You can rely on several experienced DPOs rather than just one, which means more hands on deck should you suffer a breach
- The DPOs are available 24/7, and there’s no holiday or sick leave
- No conflicts of interest
IT Governance offers DPO as a service on an annual subscription basis.
You’ll get a certain number of hours each month to use the services of our DPOs, covering the following responsibilities:
- Review and advise on policies, procedures, and documentation relating to the processing of personal data
- Oversee the establishment and maintenance of the personal data processing register
- Advise on the necessity of a data protection impact assessment, the manner of its implementation and outcomes
- Provide guidance on data breach monitoring, management and reporting
- Provide advice and guidance on responses to individuals exercising any or all of their rights (informed, access, rectification, object, erasure, data portability, restrict processing, automated decision making and profiling)
- Serve as the contact point to data protection authorities for all data protection issues
- Facilitate GDPR awareness training and the training of staff involved in data processing operations
- Monitor compliance with the GDPR
Are you #BreachReady?
The DPO as a service (GDPR) is one of many products in our #BreachReady promotion. To help your organization become #BreachReady this summer, we’re offering up to 20% off all sorts of solutions to prevent or mitigate the effect of data breaches.