You have several options when it comes to managing Data Protection.
Recruit a formal Data Protection Officer (DPO)
This has significant implications. A DPO must have the experience and expertise to fulfil the functions defined by the GDPR. And they must act independently, reporting to the Board or Trustees directly.
A DPO can therefore often command four times the average salary.
The GDPR only requires certain sectors and certain organisations to appoint a DPO. To take our test, click on the "Do I need a DPO" button below to see if you have to (by law) appoint a DPO.
Appoint an external DPO
Those offering DPO-as-a-service must meet the same high standards as an internal DPO.
This means they must be “involved, properly and in a timely manner, in all issues which relate to the protection of personal data” and must fulfil all the tasks outlined in Article 39.
Always check that any solicitor, accountant or DPO-as-a-service company has the expertise and experience (in your sector) to fulfil the role. For example, can they report to the Board one day, and change their tone and approach to work with frontline staff and management the next?
Also check the resources they commit for the price, and what they charge as extras. For example, is handling a SAR, or engaging with the ICO or customers, part of the price?
- Our resources are scalable at short notice
- You have a team of specialists at your disposal
- Our knowledge is always up to date
- You don’t pay for resources you don’t use
- Our experienced staff are efficient
- Our advice is impartial
This is the cheapest, in the short term at least. But the Information Commissioners Office is now enforcing the GDPR. They have required HMCR to delete personal data. They intend to impose a fine of £183 million on British Airways for not patching software and £99million on Marriott for failing to undertake enough due diligence.
These will change business in the UK. You may not be fined, but your stakeholders will expect you to be managing data protection risk. And your partners will want to see that you’re not going to expose them to risk through your behaviour. Your reputation can easily be affected by outdated practice or failing to recognise and manage all the issues.