The imposition of the General Data Protection Regulation, or GDPR (beginning May 25th, 2018) has resulted in the rising importance of hiring a data protection officer. But what is the right way to hire a data protection officer? What are the important considerations when choosing someone for this position?

First, it is important to know what a DPO really is.

What Is a Data Protection Officer (DPO)?

The GDPR is a highly complex set of requirements, and it is vital to ensure GDPR compliance. Knowledge of the implementation of data protection strategy is extremely important for this process. A Data Protection Officer is a skilled professional who can take on the responsibility of carrying on data protection activities in addition to the proper implementation of protective measures.

A DPO assumes the leading role of supervising the implementation of the data protection strategy. The major challenge is to ensure GDPR compliance by meeting all the requirements of the newly-imposed regulations.

What Are the Required Qualifications for a Data Protection Officer?

A professional Data Protection Officer must have:

  • Extensive knowledge of and expertise in data protection law and practices
  • Knowledge of the IT infrastructure, layout and HR system of the company
  • Impressive communication skills to ensure proper dealing with the staff
  • Exceptional management skills for ensuring the proper handling of the tasks at hand
  • Have professional experience at managerial level in cyber security, risk compliance or IT department

What Are the Key Responsibilities of a Data Protection Officer?

When hiring a Data Protection Officer it is important to determine the role and responsibilities of the job. It helps you find the perfect fit for the post of a DPO. The following are some key responsibilities for this position:

  • To determine the impact of the GDPR rules
  • To ensure that the company and the third-party service providers are completely aware of the GDPR requirements
  • To play an impartial role of an intermediary between the company/organization and the regulators
  • To ensure the provision of the training to all the users of data, making it easier for them to understand the GDPR rules and follow the best compliance practices
  • To take complete responsibility of assessments and audits dealing with the data protection, data security and data privacy
  • To develop policies for data protection and propose the processes to ensure foolproof data protection
  • To document the policies and processes and serve the stakeholders with these documentations
  • To analyze the impact of any proposed change in processes that might affect privacy or data security

Do You Need a Data Protection Officer?

If you are running a small business, you may not need to worry about hiring a DPO. Though, it is important to have a look at what GDPR rules suggest. You cannot excuse for being unaware. Following are the important considerations to determine if your company requires a Data Protection Officer.

According to the GDPR rules, you need to hire a Data Protection Officer if:

  • Over 250 employees are serving your company
  • Your company is undertaking large scale data processing/collection/storage
  • A public body/authority is involved in data processing/collection/storage
  • Your company is processing sophisticated information about (not limited to) sexual orientation, health, geolocation, genetics, children, trade union membership and so on
  • Your company is processing/tracking/monitoring IPs, Internet traffic and visitors and other such information
  • Your company is either tracking or monitoring data/information in a systematic manner. For instance, the systematic monitoring/tracking of a user’s video data, reviews, preferences and so on
  • Your company is processing data related to criminal offenses

Can I Assign the Role of DPO to an Existing Employee?

Internal hiring of a Data Protection Officer is allowed, but you need to keep certain factors in mind before thinking about this option. First, you need to make sure that the potential candidate meets the mandatory criteria in terms of qualifications and necessary requirements. If you don’t find an existing employee capable of assuming the role of a DPO, then it is better to opt for an external hire.

The internal hiring of a DPO without meeting the necessary requirements does not ensure legal protection. In the eyes of law, such officers are not legitimate to assume the role. Effectively, your company is still missing the privacy officer.

The external data protection officer is a better choice for many reasons. Firstly, he/she is a certified expert and joins your company to facilitate as a service provider. Generally, these experts ensure the provision of better performance and effective data protection measures.

Competence

The competence of an internal DPO rarely matches to that of an external DPO. You need to consider exceptional training in an attempt to help your internally hired DPO. Even after the training and all the effort, you cannot guarantee exceptional results.

An external DPO is more competent because he/she is qualified, has relevant experience and skills. Secondly, the external DPO will quickly put things on the right track. External hiring will ensure the development of timely strategies, planning, and implementation.

The internal DPO has a slight advantage though. He/she is already familiar with the company’s operations. An external DPO requires some time to become familiar with the company’s processes and operation procedures.

Cost

When hiring an external data protection officer, the cost is pre-determined during the contract agreement. The company knows exactly what it has to pay. In addition, the external DPO does not require training.

In the case of hiring an internal DPO, you will have to think about the training and education expenses. In addition, you will have to ensure the acquisition of literature you will have to pay for on top of the regular salary.

In the long run, the chances of mishandling or lack of proper strategic implementation are higher in the case of an internal DPO. This could lead to a major GDPR violation and result in heavy fines.

An external DPO, being well-qualified and the expert in this field, will reduce the risk of poor planning. You will not have to worry about the heavy fines because the chances of violation are less when the supervisor is a better fit for the job.

Liability

This is arguably the most important consideration when comparing internal and external data protection officers.

You cannot underestimate the possibility of an occasional mishandling of data or the violation of any of the GDPR rules. Here, a company needs to protect itself. In the case of an internally-hired DPO, the manager is fully liable in the eyes of the law. The DPO will only bear the limited employee liability. You cannot dismiss the internal DPO.

However, there is a lesser risk for the company in the case of an external data protection officer. The external data protection officer bears the liability of giving certain advice, and the company will have someone to blame. You can terminate the contract without any complications.

Conclusion

There are heavy fines against the violation of GDPR rules. It is not a wise move to look for a cheap DPO. It may save you some money for the time being, but you need to avoid those heavy fines, and skimping now may end up getting you more trouble later.

Look for highly-professional, skilled DPOs, because it is not merely about the protection of online data. You have to ensure the protection of devices, reduce the risk of unauthorized access, and ensure foolproof security against unwanted access to servers. Upon hiring, let the DPO become familiar with the company’s processes and give him/her the needed space to ensure good results.

Sources

A Complete Guide For Hiring A Data Protection Officer (DPO), Ecomply

Designation of the data protection officer, Art. 37 GDPR, Intersoft Consulting

How To Hire A Data Protection Officer, Forbes

2018’s Most Crucial Job: How to Hire a Data Protection Officer, Techgenix