What is the role of the DPO a year after GDPR?

August, 21 2019 – By Dan Welberry

What’s the point of the Data Protection Officer (DPO) a year after GDPR?

Before GDPR came into effect, the role of the Data Protection Officer (DPO) took centre stage. A mandatory role for some organisations, a voluntary commitment for others, it was estimated that 75,000 DPOs would be required worldwide in order to meet the demand.

And their remit was pretty clear – to act in the best interests of consumers and ensure compliance, no matter what.

The role of the DPO at-a-glance

  • The GDPR introduces a duty for you to appoint a DPO if you are a public authority or body, or if you carry out certain types of processing activities.
  • DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
  • The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
  • A DPO can be an existing employee or externally appointed.
  • In some cases, several organisations can appoint a single DPO between them.
  • DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.

Source: ICO

What followed was a flurry of activity as DPOs attempted to get their organisations compliant, or as near to compliant as possible, before the GDPR deadline hit.

Everyone waited for the first fines to hit, but they dribbled in without much fanfare, and people began to lose interest.

The trouble is, that many organisations believe that when they allocated a budget to ensure their compliance before the GDPR deadline, it meant the job was done. It’s why nearly a quarter of DPOs say their main challenge is currently obtaining sufficient resources for their work. And half allocate less than 5% of their governance, risk and compliance budget to data protection and privacy.

And then, massive and high-profile fines hit BA and Marriott and everyone is sitting back up and taking notice.

Proving that one year after GDPR, the Data Protection Officer has even greater relevance than ever and businesses must invest in the role.

In fact, Elizabeth Denham, the Information Commissioner said in a blog in May 2019:

The focus for the second year of the GDPR must be beyond baseline compliance – organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated. Well-supported and resourced DPOs are central to effective accountability.” 

SARS have hit the hardest

Interestingly, it is the influx of Subject Access Requests (SARs) that has hit the hardest.

In the year following GDPR, 64% of DPOs stated that they either agreed or strongly agreed with the statement ‘I have seen an increase in customers and service users exercising their information rights since 25 May 2018’.

And our own research shows that even simple SARs cost on average £145 to complete, and anecdotally, complex SARs, often from disgruntled employees or customers (weaponised SARs) can cost up to £50,000 to process.

Clearly there’s still work to do. And research from CPO Magazine shows that improving the SAR process is the main priority for nearly a third of DPOs this year.

Data protection isn’t a tick-box exercise

Organisations are constantly evolving, and your people, processes and technology need to change and scale in line with that growth.

But it also requires a cultural change. Maintaining interest in an initiative is really hard, particularly when it’s something like GDPR and people think you’ve already ticked that box. It’s a constant battle to raise awareness of the issues, and to get people to take notice.

Fines or no fines, the role of the DPO is vital to the success of any business handling customer or sensitive data. Facing the ongoing challenge of normalising the new regulations, DPOs now need to hard-code compliance into business-as-usual activities, which requires ongoing investment from the business.

To find out how, read our Guide: ‘Six practical steps you can take to transition data protection to business-as-usual’