The first thing to consider is whether your business requires a Data Protection Officer (DPO).
It is not the size of an organisation that determines who needs a DPO, but rather the size and scope of data handling. Unfortunately, GDPR does not specifically define what they consider to be “large scale” data handling.
There are however four key factors that governing authorities are using to determine if a DPO is required. These are:
- Data subjects
- Data items
- Length of data retention
- Geographic range of processing
The Information Commissioner’s Office’s (ICO) state that all organisations who process personal data must comply with the GDPR, regardless of their size or industry and have evidence to demonstrate their compliance.
However, while there are not exact guidelines around the scale of data handling, most small businesses will not be required to hire a Data Protection Officer (DPO) unless their core focus is data collection or storage.
Your company can therefore still remain GDPR compliant without the need to hire a costly DPO if the nature of your business means you do not require one.
Other options to consider include appointing an employee in-house to take on the role of a DPO; share the job role of a DPO or outsource the role of DPO.
Hiring a designated DPO can be very expensive, with annual salaries ranging from £35,000 – £60,000, so it is important that you establish whether you need one.
But what happens if you cannot afford to hire a costly DPO?
iCaaS offers a Virtual Data Protection Officer (vDPO) service – designed for all organisations who legally require a DPO to comply with GDPR, but simply don’t have the resource to do so.
In the same way that companies outsource other business tasks such as IT services, HR or bookkeeping, you can now outsource a data protection role. Our vDPO will liberate your business from the expensive and lengthy process of hiring a DPO, so you can focus your attention on tackling projects more vital to the company’s future growth.
GDPR was put forth by the European Parliament, the European Council, and the European Commission to strengthen and streamline data protection for European Union citizens.
It calls for the mandatory appointment of a DPO at every organization that processes or stores personal data for EU citizens.
DPOs must be, “appointed for all public authorities, and where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data,’” such as race, ethnicity, or religious beliefs.
The data protection officer is a mandatory role for all companies that collect or process EU citizens’ personal data, under Article 37 of GDPR. DPOs are responsible for educating the company and its employees about compliance, training staff involved in data processing, and conducting regular security audits.
DPOs also serve as the point of contact between the company and any Supervisory Authorities (SAs) that oversee activities related to data.
As outlined in GDPR Article 39, the DPO’s responsibilities include, but are not limited to, the following:
- Educating the company and employees on important compliance requirements
- Training staff involved in data processing
- Conducting audits to ensure compliance and address potential issues proactively
- Serving as the point of contact between the company and GDPR Supervisory Authorities
- Monitoring performance and providing advice on the impact of data protection efforts
- Maintaining comprehensive records of all data processing activities conducted by the company, including the purposes of all processing activities, which must be made public on request
- Interfacing with data subjects to inform them about how their data is being used, their right to have their personal data erased, and what measures the company has put in place to protect their personal information
With a vDPO, you don’t have to worry about any of that. Our vDPOs will take care of the following and more:
- Align data protection metrics to strategy
- Prepare a monthly board report
- Review key documents, including subject access requests (SARs) and privacy notices
- Act as the single point of contact with the ICO
Our vDPO will be on demand as and when you need their services. They will keep your practice up to date with the latest data privacy and protection news as the legislation continues to evolve and will efficiently deliver training in-house, whenever suits you.