Eastside Primetimers data protection specialist Mike Griffin answers some common questions to highlight the importance of hiring a Data Protection Officer for your charity.
The introduction of the EU General Data Protection Regulation (GDPR) in May put pressure on non-profit organisations to strengthen their data protection policies.
One element of the new GDPR regulations requires that public authorities and public bodies appoint a Data Protection Officer (DPO). Charities do not meet the criteria for a mandatory DPO, but it is recommended by the Charity Commission as being “advisable”.
For those who are unconvinced, the answers to the following common queries should help to clarify the importance of appointing this function for your charity.
What does a Data Protection Officer do?
A DPO should be the expert in data security for your organisation, providing expert advice and opinion on all data protection matters.
Responsibilities of a data protection officer include monitoring and maintaining compliance through conducting regular security audits, providing ongoing data protection training and awareness and ensuring that policies are current and relevant.
A data protection officer should also:
- Act as the point of contact between the organisation and any external agencies (e.g. ICO)
- Keep the management informed and advised of the client’s obligations to comply with the GDPR and other data protection legislation
- Monitor and maintain records of all data processing activities conducted by the organisation
- Review and negotiate the organisation’s agreements and contracts with data processors
- Communicate with data subjects to inform them about how their data is being processed and the rights they have to their data
- Coordinate all Subject Access Requests (SAR) and Right to Be Forgotten (RTBF) requests
- Coordinate data breach response and notification procedures
Why is it important for my charity to hire a DPO?
In our previous blog on preparing your charity for the GDPR, I stressed how important it is for charities to ensure their GDPR compliance arrangements are closely maintained.
The bottom line is that hiring a Data Protection Officer is essential to mitigate the possibility of a crippling fine.
Appointing someone with expertise in data protection dramatically reduces the chances of your charity being involved in a GDPR breach. There are suggestions that breaking GDPR rules could put charities out of business, and several prominent third-sector organisations facing large fines from the ICO in recent months due to data protection breaches. In light of this, it is important that charities are not cutting any corners.
There are no two ways about it: appointing a Data Protection Officer is important in ensuring your charity achieves and maintains an adequate level of compliance with the law.
What are the advantages of outsourcing the DPO function?
Hiring an external Data Protection Officer through a service contract is likely to be the best option for charities.
This is largely because the recommended level of data protection experience and expertise is not generally available internally – however, there are many other benefits to outsourcing the DPO function.
Appointing a DPO with a higher level of independence ensures their advice and recommendations are impartial and removes conflict with other business activities. An external DPO is also likely to be more flexible and immediately available when they are needed. Charities can even team up to ‘share’ a DPO service amongst several organisations, for a cost-effective method of sourcing data protection expertise.
Mike Griffin is a member consultant with Eastside Primetimers and an experienced data protection specialist.
Our specialist data protection consultants are now available to act as a DPO for your organisation as part of our new service offer. If you would like to discuss this opportunity further or need additional advice on how to get your organisation GDPR compliant, please call now on 0207 250 8334 or email firstname.lastname@example.org.