I have been busy over the last month or so trying to get ideas for my PhD research that is looking at the role of the Data Protection Officer. If you are interested, please pop over to our dedicated research site.
Posts so far look at:
- A comparison of the Spanish and French schemes for DPOs
- What needs to be considered when designating a DPO and the different ways in which the legislation is being interpreted
- Whether there can be single scheme for all DPOs, how effective this would be and whether it is practical to implement
You can also sign up to participate – the more the merrier!
This presentation considered:
- what emerging best practice is available for those in the role of DPO
- the challenges of developing skill sets as a DPO
- the value of qualifications
- professional development options
The presentation was given at the IRMS conference on 21 May 2019. A big thank you to all of those that attended and to those who took the time to provide useful feedback.
Tkm Consulting – Data Protection Services
Tkm Consulting provides data protection training and consultancy across the UK, having worked with data protection laws and information governance for the last 20 years.
Here at Tkm, we offer a range of data protection qualifications including professional certificates from the BCS, courses certificated by the SQA, and customised in house training. More details…
We provide Data Protection Officer services as well as advice and guidance on practical compliance with data protection laws. More details..
Check out our blogs on data protection. These look at the role of data protection, training requirements and more. More details…
Some of the hype about the General Data Protection Regulation (the GDPR) has been given renewed focus over the last couple of weeks by the issuing of two Notices of Intent by the Information Commissioner’s Office (ICO) with a nominal value of over £283m. It is worth reiterating what many have already said before me – Marriott International and British Airways, the two organisations involved, may never actually receive a fine. This is only the start of the process and there is a long way to go.
Nevertheless, what this has undoubtedly done is raise the profile of data protection legislation and the newly acquired abilities of the regulator (the ICO) to issue substantially increased fines compared to those available under previous legislation. This will almost certainly result in some discussion in boardrooms and, for those that have yet to appoint a Data Protection Officer (DPO), probably a much more serious discussion about whether or not they should. Even those that don’t need a DPO may still choose to appoint one, or someone specifically responsible for data protection compliance.
If you are newly appointed to the role, the most important point to remember is that you are not alone. While the role of DPO is new to the GDPR, the majority of data protection law requirements have been around for some time in the UK, some since 1984, so there are lots of things we can learn from what has happened under previous legislation.
It is likely to seem like a daunting task at first and I think that most would agree that there is a huge amount of information to take in before you can even think about applying it. Data protection has also suffered from significant volumes of misinformation that need to be sifted out so where do you start if you are given the role of DPO?
This article provides some basic advice as well as links to reliable sources for those new to the DPO role as well as for those responsible for managing data protection compliance. This draws on my own experiences of working with data protection for the past 20 years, including as a DPO for a number of organisations since 25 May last year.
What is a Data Protection Officer?
A DPO is a role established by the GDPR with specific tasks and responsibilities laid down by the legislation. The role is required by an organisation (either a controller or processor1) where:
- They are a public authority except for courts acting in their judicial capacity;
- The core activities of the organisation require regular and systematic monitoring of data subjects on a large scale. One example of regular and systematic monitoring will be CCTV but there are lots of others;
- The core activities consist of processing on a large scale of special categories of personal data (Article 9 of the GDPR) or personal data relating to criminal convictions and offences (Article 10). Special categories of personal data include medical information, racial or ethnic origin, religious beliefs and trade union membership along with others.
If you haven’t already, it may be helpful to review the guidance issued by the Article 29 Working Party, endorsed by European Data Protection Board on the role on the DPO as it expands on several important points, including the need to avoid a conflict of interest when making the appointment. It also helps with interpretation of key terms such as “large scale”, and discusses the need to conduct a data protection impact assessment to determine whether you need a DPO if it is not clear in terms of the legislation.
I would recommend that you don’t call yourself a DPO unless the law specifically requires your organisation to have one, or a decision has been made at board level or equivalent that your organisation should have one. If you call yourself a DPO, both you and your organisation must then comply with all aspects of the law for DPOs.
What do I need to do?
There is no set job description and the role is likely to differ according to sector, size and a range of other factors. However the GDPR lays down a number of tasks (Article 39) that have to be completed by the DPO as a minimum:
- To advise the organisation that you work for as well as their employees about their obligations under the GDPR and other data protection law;
- Monitor compliance with the GDPR and other data protection law as well as with the policies of your organisation that relate to the protection of personal data. The legislation mentions the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- Provide advice on data protection impact assessments and monitor their performance in terms of ensuring compliance with the GDPR;
- Cooperate and act as the point of contact with the supervisory authority. In the UK this will be the Information Commissioner’s Office.
When carrying out their tasks, the GDPR requires the DPO to have due regard to the risk associated with processing operations. It is also worth noting that the DPO must be accessible to data subjects and is bound by secrecy and confidentiality regarding the performance of tasks.
There are other responsibilities placed on the controller or processor with regard to the DPO and you can find out more about these in the GDPR as well as the EDPB guidance referred to above.
Who I am responsible to?
The DPO should report into the highest level of your organisation, which is usually board level. Further information about this is available from the ICO’s website. It should be noted that there is nothing in the legislation or the EDPB guidance that allows the role to be delegated by an existing board member that is, in effect, DPO in name only although that is an approach a number of organisations seem to have taken. The organisation must also ensure that the DPO is does not receive any instructions regarding the exercise of their tasks.
What skills and competencies should I have?
The GDPR states that the DPO …”shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”…, as well as being able to fulfil the tasks listed above.
I am sure it goes without saying but for the avoidance of doubt, anyone in the role of DPO should have at least a basic knowledge of data protection laws, and an understanding of how the law is applied is a must. That said, these are skills that the vast majority of us have learnt once in the job but it is really helpful to familiarise yourself with reference materials (including codes of practice) and applicable legislation. As highlighted above, make sure the information you are using is from a trusted and reliable source.
To comply with the requirements of legislation, information governance skills are likely to be very helpful, with business knowledge of the organisation you are working for essential. As yet, the ICO hasn’t issued any additional guidance for the UK although you may find it useful to look through the frameworks of competence published by the Spanish and French authorities. These are fairly consistent in the areas of competence that they are expecting a DPO to have. We are going to cover the area of emerging required competencies of DPOs in a later blog.
Is being a DPO a permanent role and can I do it alongside what I am doing?
Assuming your organisation meets the criteria for requiring a DPO, it will be an ongoing legal obligation although whether it is introduced as a permanent role will decided by your organisation. The legislation specifically allows for the role to be an employee or to be contracted in as a service. If you are going to contract in a service, make sure you undertake the necessary due diligence.
The role can be fulfilled by someone with other responsibilities although, as mentioned above, there cannot be any conflict of interest between the two roles that you might have, for example, it is unlikely that the role of DPO could be held by the Head of HR or the Head of IT, or equivalent roles in your organisation.
Are there any associations that I could join?
Some of the organisations that provide support for compliance with data protection laws include:
What training is available?
If you are looking to formally develop competencies, there is a wide range of training available. Again, make sure you do your due diligence to make sure any events you decide to attend is going to provide what you need it to. Note that there are no certifications under the GDPR in the UK, at least not yet, and there are unlikely to be any for training for DPOs.
Tkm offers a number of data protection qualifications that are certified by the BCS or the SQA, one of the UK’s qualification’s regulators.
Tkm’s courses include:
- Diploma/Certificate in Managing Data Protection Compliance
- Certificate in Data Protection Compliance
- BCS Foundation Certificate in Data Protection
- BCS Practitioner Certificate in Data Protection
Courses are run throughout the UK and can also be delivered in house. In house training can be fully customised according to the needs of your organisation. Please don’t hesitate to contact us if you would like to discuss your requirements. The IRMS also has other training partners that provide courses on a range of information governance topics – see Leadership Through Data.
1 – controllers and processors are defined by the GDPR. A controller determines the means and purposes of processing personal data, and a processor processes personal data on behalf of the controller. If you are regularly processing personal information, you are likely to be either a controller or processor or both. See the ICO’s website for further information.
Scheduled GDPR, data protection and other information governance training dates are listed below.
The easiest way to book your data protection training is by contacting us using our enquiry form. If you have any queries about which course would be the most suitable for you please contact us.
Please note that the majority of our training is delivered in house although we run as many open courses as possible. Please contact us if you would like to register an interest in upcoming courses or a course in a particular location. You can also register to receive our training dates.
Data Protection Training Dates
BCS Foundation Certificate in Data Protection – more info
|2 - 4 June 2020||Glasgow|
|24 - 26 November 2020||York|
BCS Practitioner Certificate in Data Protection – more info
|16, 17, 23, 24 & 30 March 2020|
Exam 28 April 2020
Tkm Certificate/Diploma in Managing Data Protection Compliance – more info
|21, 22, 28, 29 September & 5 October 2020|
Exam 4 November 2020
Tkm Certificate in Data Protection Compliance – more info
|7 January 2020||Glasgow|
|3 November 2020||Perth|
Coming soon – Auditing Data Protection Compliance
A one day course to help you audit compliance within your organisation. To register an interest, please contact us.
Please note that all courses require a minimum number of people to run.
Please don’t hesitate to get in touch if you are not sure which course is right for you. If your organisation has 3 or more people that require GDPR and data protection training please ask us about discounts. If you have 4 or more for any of the courses offered by Tkm it is likely to be more cost effective for you to run the training in house. Please contact us for details.
IRMS individual members are eligible for a 10% discount. IRMS corporate members are eligible for discount on in house training.
The Diploma and Certificate in Managing Data Protection Compliance are data protection training courses that have been developed with practitioners in mind. The courses cover key aspects of the GDPR and other important data protection-related legislation, and focuses on practical implementation.
As well as developing an understanding the important parts of relevant legislation, the courses spend time on information governance and managing risk, and other management techniques, making our course different to many others available.
These courses are certificated and quality assured by the SQA, rated at SCQF levels 8 and 10 respectively.
To book, the easiest option is to drop us an e-mail or use our enquiry form. Courses that are provisionally scheduled are shown on the scheduled courses page. If you are not sure which course is the one for you, please contact us.
These courses are suitable for those responsible for managing data protection compliance within their organisation including Data Protection Officers. This is an intensive course and those attending would benefit from having a basic knowledge in the requirements of data protection legislation.
|21, 22, 28, 29 September & 5 October 2020|
Exam 4 November 2020
The course is usually held over 5 days, followed by separate assessments. For those wishing to achieve the Certificate, there is an extended answer exam usually held 2 – 4 weeks after course delivery. For those who would like to achieve the Diploma, in addition to passing the extended answer exam they must successfully complete a work-based assignment.
The course content will be continually updated to reflect current legislation applicable in the UK. It addresses requirements of the GDPR as well as relevant UK data protection law and covers:
- The development of data protection law and drivers for change
- Key definitions
- Data protection principles including the lawfulness of processing covering consent and privacy notices
- Special categories of personal data and information about criminal convictions
- Rights of the data subject
- Responsibilities of controllers and processors
- The requirements for a data protection officer
- Data protection by design and by default and prior consultation
- Information security
- Breach reporting
- Transfers to third countries and international organisations
- The role of the Information Commissioner and relevant offences
- Applying key codes of practice:
- Data sharing
- Marketing (including reference to the Privacy and Electronic Communications)
- Employment code of practice
- Surveillance cameras
- Managing risk
- Data protection impact assessments in practice
- Information governance
The costs for completing this course ranges from £1,600 (attendance only) to £2,275 for the Diploma. All costs quoted are exclusive of VAT. If you have 3 people or more that require data protection or GDPR training please ask us about available discounts. If you have 4 or more, it is likely to be move cost effective to arrange in house. Please contact us for details.
There are up to three assessments that are completed as part of this course:
- The first is a 1 hour multiple choice exam, usually held on the afternoon of day 3. Successful candidates will be awarded the Certificate in Data Protection Compliance.
- The second assessment is a 2.5 hour extended answer exam, usually run 2 to 4 weeks after the course. Successful candidates will be awarded the Certificate in Managing Data Protection Compliance.
- The final assessment is a work-based assignment. Those that successfully complete the assignment will be awarded the Diploma in Managing Data Protection Compliance.
Please note that this is a progressive award scheme and therefore candidates must achieve the pass mark in each assessment before being eligible to move on to the next level.
We run this course in locations throughout the UK – see our scheduled courses for available course dates.
We will always arrange additional courses if there is sufficient demand – please contact us to register an interest. If you have 3 or more staff requiring training, it may be more cost effective to arrange in house training. Please contact us for details.
The qualification depends upon which assessments are completed. Successful attendees will receive a qualification certificate for either the Certificate in Managing Data Protection Compliance or the Diploma in Managing Data Protection Compliance. These qualifications are approved, quality assured and certificated by the SQA, one of the UK’s 4 qualification regulators.
For further information, please see our course leaflets:
- Certificate in Managing Data Protection Compliance certificated by the SQA
- Diploma in Managing Data Protection Compliance certificated by the SQA
Or contact us.
Other Training Courses and Qualifications
We offer a Certificate in Data Protection Compliance, which is a 1 day training course ideal for those requiring a basic understanding of data protection legislation.
Tkm also offers the following qualifications from the BCS:
With just over a year to go until the implementation of the General Data Protection Regulation (GDPR) one of the tasks to get started with for certain types of organisations is the appointment of a Data Protection Officer (DPO).
The Article 29 Data Protection Working Party (WP29) has recently published some useful guidance (5 April 2017) that describes the DPO as being at the “heart of this new legal framework”, and this blog summarises key elements of the guidance and associated annex.
Who is required to appoint a DPO?
There are 3 cases where it is mandatory for a DPO to be appointed by a Controller and a Processor (Article 37(1)):
- Where the processing is carried out by an organisation considered to be a public authority or body except for courts acting in their judicial capacity. The WP29 guidance suggests that, as good practice, private organisations carrying out public tasks (such as energy supply, public housing and others) should also designate a DPO.
- Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale. The WP29 guidance defines “core activities”, “large scale”, as well as what constitutes “regular” and “systematic”, and discusses useful examples such as the use of closed circuit television.
- Where the core activities of the controller or the processor consist of processing on a large scale of special categories (Article 9) of data or personal data relating to criminal convictions and offences. As above, the WP29 guidance has some useful examples of what processing is likely to fall within this definition.
Unless obvious, the WP29 guidance recommends organisations should conduct “internal analysis” to determine whether a DPO is to be appointed.
If a DPO is not mandatory for our organisation, should we still appoint one?
Organisations can voluntarily appoint a DPO. However, it should be noted that the WP29 guidance states that where a DPO is designated on a voluntary basis, the requirements laid down under Articles 37 to 39 will apply as if the designation had been mandatory. This means that if you do not have to appoint a DPO, roles should only be given the title of DPO if they will be tasked with all obligations laid down in the Articles above. They are also responsible for all processing operations carried out by the organisation with regard to personal data, meaning that you cannot be selective about which processes the DPO may cover.
What are the DPO’s responsibilities?
Tasks of the DPO are laid down by Article 39(1) and are summarised below. These are to:
- Inform and advise the Controller or the Processor and the employees who are processing personal data of their obligations under the GDPR;
- Monitor compliance with the GDPR;
- Provide advice regarding data protection impact assessments and monitor their performance;
- Cooperate with the supervisory authority, which is the Information Commissioner’s Office (ICO) in the UK;
- Act as the contact point for the ICO on issues related to the processing of personal data.
Article 39(2) requires the DPO to have a risk-based approach to undertaking their duties, taking into consideration the nature, scope, context and purposes of processing operations. The accessibility of the DPO should also be effective, with the controller or processor required to publish the contact details of the DPO and also provide them to the ICO.
It is important to note that a DPO is not personally responsible for compliance with the GDPR. This remains the responsibility of the Controller or Processor (Article 24(1)). There are additional organisational responsibilities with regard to the DPO and these will be covered in a later blog.
Who can be a DPO?
Article 37(5) states that the DPO, who can be a staff member or contractor, “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”. The WP29 guidance states that although required level of expertise is not defined, “it must be commensurate with the sensitivity, complexity and amount of data an organisation processes”.
It is worth noting that although Article 38(6) allows DPOs to “fulfil other tasks and duties”, an organisation must ensure there is no conflict of interest. The WP29 guidance suggests this will depend on each organisation although may preclude senior management such the Chief Executive, Chief Financial Officer, Head of Human Resources, and Head of IT amongst others from the role of DPO.
What should I do next?
The first step is to identify whether a DPO is required in your organisation and, if so, who should fill the role. You should check the text of the GDPR, the WP29 guidance, and also the information available from the Information Commissioner’s website on DPOs to make sure you understand how these requirements will apply to your organisation.
You can then begin the process of recruitment, contracting and training new and existing staff as appropriate. It is essential that your organisation has developed the necessary competencies to comply with the GDPR by 25 May 2018. Training is a key organisational measure in preparing for the GDPR and Tkm can help. If you are interested in training for DPOs please contact us.
Tkm is in the process of adding accredited data protection qualifications to their portfolio and also delivers in house training that can be fully customised according to your business sector and the individual learning needs of your staff.
Look out for our next blog which will provide some guidance on choosing the right training for your organisation, helping to ensure best value for money.
The material contained in this article constitutes general guidelines only and does not represent to be advice on any particular matter. No reader should act on the basis of material contained within this site without first taking professional advice appropriate to their particular circumstances.
exploit – protect – comply