The Tamite Secure IT – Data Protection Officer Service
We have created the Tamite Secure IT Data Protection Officer Service as “most companies” that handle Personal Data will find they need some-one to take on the role, in the majority of cases it will not be cost effective or convenient for the DPO to be directly employed.
This is because your DPO needs to be up to date with the latest information and methods in a field that is new and evolving. In addition it is hard to meet the requirements of the GDPR for the DPO to meet the legal obligations.
Legally, a Data Protection Officer (DPO) must:
1. Operate at arms-length, independent of core business activities. As such, the DPO must be separate from senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) and independent from other roles lower down in the organisational structure, if those roles lead to the “determination of purposes and means of processing”.
2. Engage directly with the Board or highest level of management.
3. Be appropriately skilled, including knowledge of legislation, the sector, the organisation, processing operations, IT and data security, with an ability to promote a strong data protection culture across the organisation.
4. Be sufficiently engaged by the organisation in its business activities.
5. Be provided with sufficient resource.
Under the GDPR (Article 37), there are three main scenarios where the appointment of a DPO by a controller or processor is mandatory:
- The processing is carried out by a public authority;
- The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
- The core activities of the controller or processor consist of processing on a large scale of sensitive data (Article 9) or data relating to criminal convictions / offences (Article 10).
While no absolute guidance is given on the levels of data processing that will make the appointment of a DPO a statutory obligation the reality is that for most companies who are processing PID it will make practical sense to appoint a DPO.
Our view is that without the guidance and oversight that a professional DPO provides accomplishing projects involving PID will be difficult