Paul Motion: Now is the time to outsource a really good data protection officer
The data protection landscape for businesses and public authorities changed beyond recognition on 25 May 2018 when the GDPR and Data Protection Act 2018 came into force. It seems remarkable that nearly two and a half years has passed. At the time, no-one could have predicted that for the majority of UK businesses, working from home with customer and client data would become the norm, writes Paul Motion.
The GDPR introduced a requirement for businesses to have a Data Protection Officer if the business was either a public authority, handled large quantities of special category (sensitive) data or carried out significant amounts of surveillance. Many businesses played safe and appointed a DPO anyway.
Since the GDPR came into force, and particularly during the lockdown period, there has been an explosion in the number of subject access requests (SARs) served on businesses. With staff working remotely from their line manager, supervision is a little more challenging than in the office environment. Consequently, the risk of data breaches has increased with home working and collating data for SAR responses has become a more complex multi-dimensional exercise. Also, there is now a huge amount of business data and personal data residing locally and in shared threads, including on instant messaging platforms like WhatsApp.
A Data Protection Officer’s role is really twofold. First, the DPO advises on compliance with data protection legislation. The DPO can take a significant amount of pressure off management by handling subject access requests, and this can include liaising with the IT and HR departments within a data controller. Second, if things go badly wrong, a good DPO provides management with an objective view as to whether a data breach should be reported to the ICO and to the data subjects who may be customers, patients or clients. The DPO can help draft the self-reporting form and the correspondence to any affected data subjects. The DPO will help manage the breach by providing the interface with the ICO’s case officers.
Accordingly, the role and especially the objectivity of the DPO is extremely important. This is why a DPO cannot be any member of the organisation’s management who is involved in making decisions relating to the organisation’s data processing activities. For this reason, a genuinely independent and impartial Data Protection Officer is highly desirable and often the only realistic option.
Recognising that businesses would need specialist support, in 2018, BTO Solicitors set up RGDP LLP (standing for Really Good Data Protection). RGDP provides outsourced data protection services to a diverse range of clients including a large number of housing associations, an airport, firms of solicitors, public bodies in the sporting and business sectors, charities and more. RGDP can offer tailored DPO packages according to the size of business, ranging from one day of consultancy per month upwards. In case of an emergency such as a data breach, RGDP can provide urgent input either remotely or on-site. During the lockdown period when site visits were not possible, work was conducted remotely, but as lockdown has eased, RGDP has resumed a mixture of remote advice and on-site visits. RGDP also frequently advises and assists on complex SAR responses.
With the data protection landscape about to change yet again when the UK leaves the EU on 31 December, and given the present uncertainty whether the EU will grant the UK an Adequacy Decision in relation to the UK’s data protection regime, to say nothing of cross border transfers and USA issues caused by the Schrems II court case, it is all the more important for UK data controllers to have impartial, experienced specialist advice on hand.
Therefore, now is the time for your organisation to consider hiring a really good outsourced data protection officer!
Paul Motion is a partner at BTO Solicitors LLP