Should I Hire a Data Protection Officer?

Should I Hire a Data Protection Officer?

If you’re familiar with the 2018 GDPR legislation put forward by the EU, then you know companies have been under pressure to manage user’s data carefully.

A data protection officer should be hired by companies who manage customer data on a regular basis. This way, you can avoid a data protection breach that could see you fined up to 20 million Euros!

With this in mind, today we’re going to explain what a data protection officer is, and whether you’re required by law to hire one. We’ll also be explaining why it’s important to do so even if you don’t have to, before giving you some advice on how to hire someone for the role.

What is a Data Protection Officer?

A data protection officer plays a key role in ensuring companies follow GDPR legislation. By doing this they help companies avoid the risks of processing personal data incorrectly.

The officer essentially forms a link between the public and the company’s employees, ensuring that their data is handled in a way that is beneficial for both parties. They also act as the person who receives data protection queries from customers.

GDPR legislation actually includes a mini job description for a data protection officer role. This includes them having expert knowledge on data protection law and the ability to fulfil the following tasks:

  • Inform and advise the company and their employees of their data protection obligations.
  • Monitor compliance with GDPR, including the assignment of responsibilities.
  • Raise awareness of GDPR legislation to staff and conduct training.
  • Provide advice on the data protection impact assessments (DPIAs).
  • Engage with the Information Commissioner’s Office or equivalent Supervisory Authority.
  • Report directly to top level management and be provided with all the resources necessary to carry out their functions.

Am I Required to Appoint a Data Protection Officer?

Some companies and organisations are required to employ a data protection officer by law. So, before we help you decide whether you should hire one, we’re going to discuss whether you have to.

Under the GDPR rules set out by the EU, you must appoint a data protection officer if:

  • You are a public authority or body (except for courts acting in their judicial capacity);
  • Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking);
  • Your core activities consist of large-scale processing of special categories of data, or data relating to criminal convictions and offences.

If those vague definitions don’t make it clear whether you need to appoint an officer or not, here’s a breakdown of what they mean.

A public authority or body is a governmental organisation that carries out tasks in the public interest. This varies from country to country so you might need to look up the specific definition in your country’s GDPR legislation.

Core activities are the key operations necessary to achieve your company’s goals, and there isn’t really a set definition on what is considered ‘large scale’. The best examples would probably be a bank processing customer data or the behavioural advertising of a search engine.

Special categories of data are similar to Sensitive Personal Data under the Data Protection Act 1998 which include: ethnic origin; political opinions; religious beliefs; and health data. The main affected bodies would be polling companies, trade unions and healthcare providers.

Are SMEs Exempt?

Just because you’re not a huge bank, search engine, trade union or health provider, doesn’t mean you’re exempt from having to appoint a data protection officer.

The jury is out on what is considered large scale data collection and could apply to any company that collects user data. Also, if data collection is the main operation of your business, it doesn’t matter what scale the data is collected at. So, as a small to medium sized business, you might want to think about hiring someone for the job.

Why it’s Important to Hire a Data Protection Officer

Hopefully, based on the information above, you now have an idea of whether or not you’re required to employ a data protection officer. Whether you have to hire one or not, we’re going to give you some reasons why having an officer on staff is a good idea.

1. Help you catch data breaches before they become an issue

If you collect swathes of customer data and store it on any of your internal IT systems, it becomes your responsibility to take care of it. Under GDPR rules, any data breach that risks the rights and freedoms of the individuals whose data you collected needs to be reported within 72 hours of discovery.

It’s difficult to collect all the facts about a breach in this time but having a data protection officer on staff can help you understand the scope and nature of the breach. The officer can also come up with actions you plan to take to counter and mitigate the breach.

Before you even suffer one of these breaches, a data protection officer can put plans in place to handle a breach if one were to happen.

2. Allow you to make data decisions you might avoid due to GDPR

If you don’t understand GDPR, you might accidentally breach it without knowing. You might also avoid anything to do with customer data just in case you fall foul of GDPR legislation. This will likely put you at a disadvantage with your competitors.

The best way to make sure you don’t violate the law or have to avoid collecting important data is to employ an expert, namely, a data protection officer.

3. Future-proof your company by putting users at ease

The compliance and risk management think-tank TrustArc carried out a cyber security survey which found that 89 percent of consumers in the US and UK would avoid a company that doesn’t take care of their privacy.

As the digital age continues to grow, and more companies move towards GDPR compliancy, you don’t want your company to be left behind with no customers because they are put off by your lack of care for their privacy.

You could even use GDPR compliancy as a marketing tactic with the full support of your data protection officer. If you make it clear that you’re compliant, and your competitors might not be, you could snap up a lot of data-savvy consumers.

How Do I Hire a Data Protection Officer?

Now that we’ve done our best to convince you to hire a data protection officer, it’s time to find out the best way to hire one. There are a few options at your disposal depending on how compliant you want to be and how much you can afford.

Hire a data protection officer outright

If you’re a company that’s required to have a data protection officer because you handle a lot of customer data, or it’s your main source of revenue, it’s probably a good idea to have someone fill this role in your company.

As we mentioned previously, you want to hire someone who has expertise in national and European data protection laws. Alongside this key element, a job specification for a data protection officer might look something like this:

  • Deep understanding of data security and data processing procedures
  • Knowledge of your business and the sector you work in
  • Excellent communication skills, as the officer will be the public face of your business to the Information Commissioners Officer (ICO) and the general public
  • Able to train staff in data protection and promote a culture around it within the company

If you have someone already working for you who would be perfect for the role, you can promote them to data protection officer internally, as long as there’s no conflict of interest.

Outsource or share a data protection officer

If you don’t want to hire a data protection officer to work for your company, you can retain an external consultant or share one with another company. This is usually a popular option for SMEs who don’t have the budget for a full-time appointment.

It’s also difficult to find an employee who’s an expert in GDPR and integrating it into the way they manage IT systems. You might find someone who’s alright at the job. But you might be better off hiring a contractor who’s known to be an expert in the field.

Make sure that, if you’re planning to use a contractor, they have one of the following two qualifications:

  • Certified EU General Data Protection Regulation Practitioner qualification accredited to ISO 17024
  • BCS Data Protection Practitioner qualification

So, Should You Hire a Data Protection Officer?

In this post, we’ve discussed what a data protection officer is and whether you’re required to hire one. We’ve also delved into whether it’s a good idea to do so, and how you can go about it.

If you can afford to hire a data protection officer, and you deal with customer data in your business every day, there’s no reason not to hire one. If you can’t afford it you can always share with another company, hire a contractor, or just take someone on part time.

Protecting your company from violating GDPR law can save you from a hefty fine later on down the line. Nipping data breaches in the bud can help you avoid being sued, and protect your company image from harm.

This is an article provided by our partners’ network. It does not reflect the views or opinions of our editorial team and management.

Comments are closed.