Here’s what to do.
Appointing a Data Protection Officer (DPO) to be responsible for managing an organisation’s day-to-day data compliance is a requirement for most businesses, according to the GDPR legislation that came into force in May 2018.
But “appointing” hides a brimful of woes.
Yes, it allows you to choose a member of your existing staff to assume the responsibilities of a DPO. But how many of your existing staff are skilled in the technical and legal requirements of protecting and updating data?
And are you comfortable with the (inevitable) likelihood that saddling an existing employee with additional ‘off-topic’ responsibilities will drive a cart and horses through their core business productivity?
And yes, of course, the wording permits you to employ a DPO who is a qualified and skilled professional in those critical data management areas.
But finding a suitable candidate can be problematic, and the wage bill is high - the median salary of a DPO is £57,500 per annum, according to research from ITjobswatch.
Put NI and pensions contributions on top of that and how the hell is your business going to afford it
However, there are smarter options than entrusting DPO responsibilities to Fred in Accounts or writing a salary cheque for £5k-plus every month. Essentially, you can outsource your DPO obligations to a qualified service provider, for a manageable fixed fee per month.
It’s called DPO as a Service, and here’s a true story to show how it works.
How a recruiter uses DPO-as-a-Service:
Eurovine (https://www.eurovineit.com/) is a specialist IT recruitment consultancy that holds thousands of CVs on file – with an accompanying obligation to manage how that personally identifiable data is secured, stored and managed.
DPO as a Service constantly monitors, tracks and reports on Eurovine’s privacy capabilities, with Data Loss Prevention (to prevent data from going where it shouldn’t), automatic data retention enforcement (to ensure data is not kept longer than it should be), and Office 365 infrastructure (to deliver the optimum combination of device mobility, productivity and security).
It also delivers Data Subject Request (DSR) and Subject Access Request (SAR) management, to enable data subjects (individuals) to view, update or remove the data held about them, plus specialist advice around data sharing issues and anonymisation.
Eurovine Director Danny Whelan says that DPO as a Service “constantly monitors for data issues – just like a good DPO should, but at considerably lower cost!”
“It adds credibility to our engagement with key clients, so we’re not just securing our data – we’re securing our revenues, too.”
So, DPO as a Service or DPO as a Salary? You do the maths.