So you’ve decided you need a Data Protection Officer (DPO) for GDPR compliance. Great.
But who should it be?
On the surface, choosing a DPO can sound like a difficult problem, but it really isn’t.
The DPO has to be a named person and it’s your choice whether they be full time or part-time in the role. That will very much depend on the workload.
The best place to start is by looking at what roles you have in place already. It’s quite possible you actually have a DPO somewhere in the organisation, or at the very least have informally designated someone previously. Do some digging to check this base isn’t already covered.
The next step is to exclude your operational IT and security personnel, due to a clear conflict of interest. The GDPR states that the DPO must not be conflicted by having a dual role of governing data protection whilst also defining how data is managed. You can’t be both a poacher and gamekeeper. In the real world, this means that an IT Manager, IT Director, CTO or Security Manager are highly unlikely to be able to also be a DPO. Additionally, you may find other positions that represent a conflict, such as a Marketing Manager. Be wary of these conflicts.
The DPO role is fundamentally about governance and compliance. In turn, this sits naturally with legal and Security Governance teams. Larger organisations will have an in-house counsel (lawyer) who could be a DPO. They may also have a separation of operational IT Security and Security Governance teams. This separation usually results in the Governance function sitting outside of IT, which removes the conflict of interest for a DPO. A Chief Information Security Officer “CISO” means many things to many people, and could sit both inside and outside of IT, so don’t assume that this position could automatically hold the DPO role without conflict.
Knowing that the DPO needs to be a governance type role is one thing, but you’ll need to ensure that they are also recognised as a board level adviser. The DPO is a “protected” role in that you can’t fire a DPO if they do their job too well (like informing the regulator of a breach). The DPO has to be truly recognised as a high level role inside the organisation and well respected by all. Your DPO is critical to the success of your GDPR compliance, your protection of personal data and your key person in the event of a data breach. Communication skills and gravitas are highly important assets for them to possess.
The subject of skills is a very pertinent one. The DPO is unlike any other role in the whole organisation in what it requires. A DPO needs advanced knowledge on the GDPR and other relevant data protection laws. They need to understand the business, the data it handles and how to interact with the customer base and the regulator. The DPO needs to understand Data Security to a good level and needs to be up-to-date with the latest threats to the business and the data it protects.
One overlooked consideration is whether a dual-role DPO is really a wise move. You want the very best talent for your DPO, and for larger organisations, it’s rare to find an existing employee that is of high calibre that also has large amounts of spare capacity to take on the role. Under the GDPR, the DPO is not a small role, especially in the run-up phase to gain compliance.
However, many small to medium size enterprises are well suited to the dual role DPO. I know of one with a legal counsel as their DPO and one is using their Head of Compliance. There is no magic answer, and no one size fits all, but be prepared for your dual role DPO feeling pressures on both sides of their job for time and attention. The WP29 advises that the judgement should be made on a case-by-case basis.
A common question is in which team to place a full time DPO. Should they report to legal, to the CEO or to Risk? Who their line manager is or what dotted lines they have doesn’t really matter, as long as they are not conflicted by their reporting line and are freely reporting up to the board.
Lastly, consider appointing a dedicated outside DPO consultant. They’ll be named as your DPO and wear your corporate hat. This kind of service contract can be a great choice where a DPO is needed but no current employee can take on the role, and hiring someone would be excessive. Some organisations only need 2 or 3 days of a DPO per month. At Cognition we provide these “virtual DPO” services, and have a number of customers where we are their named DPO. The virtual DPO can actually be a team of people, each providing their own specialities to make a greater whole. In this approach, a specific person should be nominated as the lead of the DPO function.
If you’d like some help on nominating your DPO, or would like to hear about outside DP options just get in touch.