Who has time to read every government document on GDPR (296 at the last count)?
The negative publicity and financial consequences of a GDPR breach are too much to even contemplate, so every business has had to bite the GDPR bullet and take the hit on profits.
The Information Commissioner's Office (ICO) tells us that a Data Protection Officer (DPO) is only compulsory if:
- You are a public authority or body (except for courts acting in their judicial capacity);
- Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
You might be breathing a sigh of relief when you read that, but the small print is vague. There are no legal precedents, and definitions of 'large scale processing', 'behaviour tracking' and 'systematic monitoring' are next to useless.
You might think you do none of those, but common technologies such as tracking pixels, website analytics, and email marketing could all bring you into the compulsory DPO category.
What Does a DPO Do?
Your Data Protection Officer will be responsible for training and ensuring compliance with GDPR, including:
- Internal GDPR compliance
- Running regular penetration testing
- Setting up procedures to deal with GDPR requests from customers and contractors
- Identifying weaknesses in your data protection systems
- Training employees in their responsibilities
- Reporting to the CEO on all issues relating to GDPR
- Acting as a contact person for the Information Commissioner's Office (ICO)
Even if you don't come under the compulsory DPO appointment regulations, having a professional and fully up-to-date DPO has one massive advantage: You and your executives will no longer have to deal with compliance issues causing other responsibilities to suffer. You can appoint a DPO voluntarily, which would mean you were definitely covered as regards GDPR requirements, and there are two ways to do this:
- Permanent On-Staff DPO
- Outsourced Contract DPO
There are advantages and disadvantages to both options.
1. Permanent On-Staff DPO
The main advantage of an on-staff DPO is that he or she will always be available. Your DPO is always there to handle ICO and customer GDPR requests. If a data-related question arises, your DPO is there to answer it immediately.
Disadvantages include the difficulty in finding a qualified individual and salary and related costs. Qualified DPOs are in high demand throughout Europe, so your new hire could be tempted by a higher salary or better conditions in another company, which would mean you have no DPO until your searches turn up the right person.
2. Outsourced Contract DPO
The main advantage of outsourcing your DPO is cost. If you contract a well-respected data protection company to supply your DPO, then you have no doubts over qualifications or training. A company with 20 employees could have a contract DPO for £595 per month, and even for a larger company with 200 employees, the cost is only £995 per month. You would need a GDPR gap analysis to identify your GDPR compliance issues before your DPO is appointed, but this is a one-off cost that most businesses need to invest in regardless.
Bulletproof is one such company that allows you to outsource your company's DPO role
Continuity is another vital advantage of outsourcing your DPO. Your contract is with a company, so if your DPO is tempted by a better offer elsewhere, it is that company which finds a replacement. Your costs are fixed, and you don't have the recruitment costs associated with finding a replacement expert.
There are disadvantages to using a contract DPO, the main one being that your DPO is not available 24/7/365. The cost savings outweigh this immediate availability issue for most small and medium-sized companies. Part of the outsourced DPO's role is to set up systems your other employees can use; for example, so you can respond to GDPR information requests within the legally enforceable one-month time frame.
Long Story Short
GDPR makes life difficult for everyone, but nobody can ignore it or put it off until 'tomorrow'. It makes sense to appoint a Data Protection Officer (DPO), even if you are not legally required to do so.
Using an outsourced DPO can make life more manageable again. You know the costs upfront and have time to breathe again, knowing your GDPR obligations are being taken care of.