Into the limelight, Data Protection Officer

Simon Merrick, GDPR Transformation Specialist at Agilisys discusses why it’s time for data protection officers to step out of the shadows

I like the sound of the Data Protection Officer (DPO). It’s an easy to understand role. This person is going to ‘protect data’. My data. Fabulous.

A public-sector organisation that has a DPO in place is demonstrating that it is serious about doing the right thing by my data. It also demonstrates that they’ve registered the importance of Article 37 in the General Data Protection Regulation – bedtime reading for any data privacy concerned CEO.

Sadly, there is a distinct lack of visibility of the DPO in some public-sector bodies. On many a council or health website you’ll see “contact the Information Governance Team” for data protection issues.

Don’t get me wrong, I’ve nothing against the IG function in public sector bodies – it provides a much-needed service to lubricate and control the complex data flows in, across and out of the organisation. But, to the rest of us, it doesn’t scream “we’re protecting your data and treating it like gold dust”, which at the end of day is what employees, customers and the Information Commissioners Office (ICO) want to see.


GDPR and the DPO

The biggest data protection related talking point is the General Data Protection Regulation (GDPR) and with the 25 May enforcement date fast-approaching, how will the GDPR impact the DPO role?

The GDPR is an aspirational and complex piece of legislation, but it’s clear on one thing: public sector bodies, unless they are a court acting in a judicial capacity, must appoint a DPO, no ifs, no buts. This means all local government, central government, health trusts and schools and higher education, where publicly funded.

The GDPR is also clear on the role, activity and responsibilities for the DPO and it’s bigger than under the Data Protection Act today. Moreover, that person must report directly to the highest level of management. That’ll be the CEO or Board and not necessarily the Head of Legal or Head of Compliance. Whereas previously the DPO would have been rolled in to resolve a particularly thorny Freedom of Information (FOI) request, it would be reasonable to expect, with the GDPR in place, the presentation of a monthly DPO report to the board, thus bringing into sharp focus the need to recruit or appoint a DPO.


Finding a DPO

Finding the right candidate can be tricky, which might explain why, with just one month to go until GDPR, there are still public bodies that haven’t appointed a DPO.

The person filling the shoes of the DPO needs to have stripes on their sleeve. A great DPO will have legal thinking and knowledge. They’ll have business acumen and operational knowledge and be able to engage with the melting pot of stakeholders with the skill of a master chef. That’s a rare breed indeed. With the GDPR having been maturing in the barrel for two years, a lack of time to find the right candidate is going to be a difficult conversation with an enquiring ICO officer.

For some smaller public bodies like schools, small health trusts and small local councils finding, funding and retaining the right candidate is a real and ongoing challenge, but there are solutions.

Such bodies can share a DPO. So long as the DPO has capacity and resources commensurate with the organisations they are supporting, this can work. A team of three can also share the workload, so long as one person is designated as DPO. This also provides the opportunity for healthy debate and reduces conflicts of interest. The DPO role itself or a privacy team can be contracted out, but there are risks to consider with this. Not least is that accountability cannot be outsourced and having clarity on the ‘service contract’, third party control and termination clauses will be crucial to ensuring money is not wasted. The same applies to ensuring that any third party has a physical presence to complete their duties effectively.

In closing, data privacy and building trust with customers and citizens is a compliance and transformation challenge that doesn’t and shouldn’t stop after 25 May 2018. Whilst all public-sector bodies will have work to do after that date, appointing the DPO should not be one of them.

Related reading