<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

GDPR and the DPO: Five Things to Know About Your Next Job Vacancy

Topics: Data Protection, Compliance, GDPR

Posted: 24 February 2017

GDPR General Data Protection Regulation Data Protection Officer

If the GDPR (General Data Protection Regulation), the EUs data protection harmonisation project, was to become a Hollywood movie, its genre would most likely be horror. Focus on the regulation over the past twelve months has been mostly aimed toward its penalties, with scare stories in no short supply. The GDPR has been accused of many things; visionary, giver of rights, stress inducer and even destroyer of marketing, but never job creator. Yet, for many aspiring data protection professionals it is precisely that.

The DPO's Grand Entrance


Buried deep in the pages of the GDPR, article thirty-seven gives rise to the creation of a new supervisory appointment referred as a DPO (Data Protection Officer). This mysterious data protection superhero role, a path upon which none have walked before, can be better understood from the following five points:

  1. 1. Public Authorities Must Appoint - Public Sector Information Security departments will be welcoming a new addition to their team under the GDPR. All public sector organisations, with the exception of the courts, which process the personal information of data subjects must appoint a DPO to oversee processing activities. The courts and in some cases law enforcement are omitted from various parts of the GDPR to counter it becoming a hindrance to maintaining public safety.
  2. 2. The Role is Optional but Recommended for Most Organisations - There exists an interesting mixture of information available online suggesting that organisations larger than a specified size would encounter a mandatory requirement appoint a DPO. However, this is untrue. The GDPR simply says that a DPO is necessary if an organisations activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale or when processing special categories of data, such as those relating to criminal convictions and offenses. The ambiguity is such that it may be in the best interests of most to consider creating the role for risk-containment purposes even if there is no obvious requirement.
  3. 3. DPO's Must Have Demonstrable Expertise - From the very beginning of the GDPR's inception, the EU has been resolute in avoiding it becoming a tick-in-the-box compliance activity. The role of DPO is no different, it cannot be nominally assigned to an unqualified member of staff. Instead the regulation calls for DPO's to have expert knowledge of data protection law and practises.
  4. 4. They Must Be Accessible to Data Subjects – In addition to supervising the data processing activities of the data controller/processor and ensuring its compliance, the DPO is there to exercise the rights of data subjects. The name and contact details of the your DPO must be published on any personal data processing related reports and crucially, on the organisation’s public website.
  5. 5. Shared DPO's or vDPO's are Allowed – Most small to medium sized businesses across Europe are unlikely to require the services of a DPO on a full-time basis. In recognition of this, the GDPR accepts that DPO's can be shared across organisations so long as their role in each is not compromised or diminished by another. This has already spawned the creation of a new service known as the virtual DPO. A third-party outsourced offering which offers a DPO presence for an agreed number of days per year.

In short, the position of the DPO is intended to place a personified GDPR rule book into organisations which are handling and processing the personal information of data subjects. Rather than have the supervisory authority (the ICO in the UK) attempting to police the enforcement of the regulation, a hierarchy of sorts allows this responsibility to be passed down to each DPO. A one-stop-shop role for all things data protection.

DPO for Hire


For organisations who already have an Information Security Officer, it makes simple sense to merge the roles through additive training, after all there are many nods to the ISO27001 standard in the articles of the GDPR, something your ISO will be already familiar with. For smaller organisations or those who are unsure if they even need DPO services, the flexibility of a vDPO option is a better and more cost effective proposition.

While the negative feelings about the GDPR are subjective, its job creation prospects are not. Expect to see plenty job adverts for data protection officers adorning the websites of recruitment consultants in the years to come. The DPO is here to stay.

(This article first appeared on the Tripwire blog)

Prepare for GDPR 11 step checklist

Infinigate UK
Posted by: Infinigate UK
Share via:
   

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts