Data and securityData ProtectionInto the limelight, Data Protection Officer

Into the limelight, Data Protection Officer

Simon Merrick, GDPR Transformation Specialist at Agilisys discusses why it’s time for data protection officers to step out of the shadows

Simon Merrick, GDPR Transformation Specialist at Agilisys discusses why it’s time for data protection officers to step out of the shadows

I like the sound of the Data Protection Officer (DPO). It’s an easy to understand role. This person is going to ‘protect data’. My data. Fabulous.

A public-sector organisation that has a DPO in place is demonstrating that it is serious about doing the right thing by my data. It also demonstrates that they’ve registered the importance of Article 37 in the General Data Protection Regulation – bedtime reading for any data privacy concerned CEO.

Sadly, there is a distinct lack of visibility of the DPO in some public-sector bodies. On many a council or health website you’ll see “contact the Information Governance Team” for data protection issues.

Don’t get me wrong, I’ve nothing against the IG function in public sector bodies – it provides a much-needed service to lubricate and control the complex data flows in, across and out of the organisation. But, to the rest of us, it doesn’t scream “we’re protecting your data and treating it like gold dust”, which at the end of day is what employees, customers and the Information Commissioners Office (ICO) want to see.

 

GDPR and the DPO

The biggest data protection related talking point is the General Data Protection Regulation (GDPR) and with the 25 May enforcement date fast-approaching, how will the GDPR impact the DPO role?

The GDPR is an aspirational and complex piece of legislation, but it’s clear on one thing: public sector bodies, unless they are a court acting in a judicial capacity, must appoint a DPO, no ifs, no buts. This means all local government, central government, health trusts and schools and higher education, where publicly funded.

The GDPR is also clear on the role, activity and responsibilities for the DPO and it’s bigger than under the Data Protection Act today. Moreover, that person must report directly to the highest level of management. That’ll be the CEO or Board and not necessarily the Head of Legal or Head of Compliance. Whereas previously the DPO would have been rolled in to resolve a particularly thorny Freedom of Information (FOI) request, it would be reasonable to expect, with the GDPR in place, the presentation of a monthly DPO report to the board, thus bringing into sharp focus the need to recruit or appoint a DPO.

 

Finding a DPO

Finding the right candidate can be tricky, which might explain why, with just one month to go until GDPR, there are still public bodies that haven’t appointed a DPO.

The person filling the shoes of the DPO needs to have stripes on their sleeve. A great DPO will have legal thinking and knowledge. They’ll have business acumen and operational knowledge and be able to engage with the melting pot of stakeholders with the skill of a master chef. That’s a rare breed indeed. With the GDPR having been maturing in the barrel for two years, a lack of time to find the right candidate is going to be a difficult conversation with an enquiring ICO officer.

For some smaller public bodies like schools, small health trusts and small local councils finding, funding and retaining the right candidate is a real and ongoing challenge, but there are solutions.

Such bodies can share a DPO. So long as the DPO has capacity and resources commensurate with the organisations they are supporting, this can work. A team of three can also share the workload, so long as one person is designated as DPO. This also provides the opportunity for healthy debate and reduces conflicts of interest. The DPO role itself or a privacy team can be contracted out, but there are risks to consider with this. Not least is that accountability cannot be outsourced and having clarity on the ‘service contract’, third party control and termination clauses will be crucial to ensuring money is not wasted. The same applies to ensuring that any third party has a physical presence to complete their duties effectively.

In closing, data privacy and building trust with customers and citizens is a compliance and transformation challenge that doesn’t and shouldn’t stop after 25 May 2018. Whilst all public-sector bodies will have work to do after that date, appointing the DPO should not be one of them.

Related Articles

Open-source data initiative to help people get active

Data Insight Open-source data initiative to help people get active

2w Jay Ashar
Using space technologies and satellite data to deliver world-class services

Data Insight Using space technologies and satellite data to deliver world-class services

3w Jay Ashar
Digital innovation for booking fitness and sport activities

Data Insight Digital innovation for booking fitness and sport activities

3w Jay Ashar
Data Exploration Licence makes geospatial data more accessible

Data Insight Data Exploration Licence makes geospatial data more accessible

4w Jay Ashar
Data literacy and confidence with data is just the beginning

Data Insight Data literacy and confidence with data is just the beginning

1m Jay Ashar
Parts of OS MasterMap to be unlocked

Data Insight Parts of OS MasterMap to be unlocked

11m Austin Clark
Seven digital government trends for 2018: A mid-year update

Data Insight Seven digital government trends for 2018: A mid-year update

12m Guest Writer
Using open data to redesign public services

Data Insight Using open data to redesign public services

12m Austin Clark