External Data Protection Officer (DPO)
Not every organisation needs to appoint a Data Protection Officer, but some examples that do include:
Public Authorities (but not Parish or Town councils within the UK)
Private companies with less than 250 employees or a turnover of less than £26m.
This list is not exhaustive, for a full list please check the Information Commissioner's website at https://www.ico.org.uk
If you are not legally required under GDPR to have a Data Protection Officer, but you still wish to have someone perform that role, we would strongly advise changing their job title to be either Data Protection Manager or Data Protection Team Leader. The reason for this is that giving someone the job title of Data Protection Officer confers on them distinct rights under GDPR, but also confers on the distinct legal responsibilities.
If you decide to (or legally must have) a Data Protection Officer, the decision to be made then is whether to appoint someone internally or use an external Data Protection Officer from Ensurety.
We would strongly recommend the appointment of an external Data Protection Officer (DPO) and before you think "well, they would say that, it's how they make money" - please allow us to explain for a few seconds why we recommend an external DPO.
One of the crucial roles of the Data Protection Officer is to conduct Data Privacy Impact Assessments whenever you introduce a new procedure into your organisation, or you implement some new software (or a major upgrade to the software you already have in place), or you take on new members of staff.
While the performance of a Data Privacy Impact Assessment is not too technically challenging, the Data Privacy Impact Assessment (DPIA) does have to be signed off by your Data Protection Officer.
There are two key criteria here:
1) The Data Protection Officer must be considered (in the eyes of a reasonable person) to be independent. Whilst there will no doubt be a full legal argument at some point about what precisely 'Independent' means in this context, what the ICO has already made clear is that someone who is the Managing Director, Finance Director, HR Director or IT Director of the company, would not be considered independent, so the appointment of the DPO would have to be someone excluding those holding these four roles.
2) The Data Protection Officer must have the ability to say "No, stop, I consider the risk to personal data if we proceed with this course of action to be sufficiently high that the integrity of personal data is put at risk". If the DPO says "No", the organisation should stop and think very carefully before proceeding with the implementation of the planned change. While the Directors of the company can make a minuted decision to ignore the opinion of the DPO and proceed anyway, in the process of doing so they are making themselves very vulnerable to prosecution should a future data breach occur.
For both of these reasons, we believe that as your external Data Protection Officer, Ensurety are best placed to provide you with a knowledgeable Data Protection Officer at significantly less financial investment than recruiting one on to your payroll (Data Protection Officers are in short supply and so the introduction of GDPR has seen the average salary of a Data Protection Officer rise from £25k per year to around £38k per year).
We aim to provide a very cost-effective DPO service. We work alongside you both prior to, and during, the completion of your Data Privacy Impact Assessments (DPIA) and so will bring to an absolute minimum the number of times (we would hope never!) that we need to complete the DPIA and tell you to stop. As external consultants, you only pay us for the time involved and to give you an idea of budget, a typical DPIA will cost under £2000 (excluding VAT) to complete.