In the world of data protection and Data Protection Officers, you will notice nominal after people’s names, like PC.dp (GDPR) and CIPM, CIPP/E, CIPP/US and Data Protection Practitioner. What exactly does all this mean?
A Data Protection Practitioner is a person who is active in practising the profession, who is knowledgable and has experience.
The dictionary definition of the word ‘Practitioner’ is:
‘a person actively engaged in an art, discipline, or profession‘
There are a lot of data protection training courses claiming to provide this qualification once successfully completed. In some cases, this could be said to be true because the person providing the training is exceptional in their application of knowledge, and experience and can pass on that to the candidates attending the course.
At Propelfwd, we offer a range of data protection training and courses, online and in person.
In others, this could be questionable.
The two main training schools for data protection are PDP, who is associated with the Law Society of the United Kingdom and IAAP, the United States Version.
Success with the PDP Practitioners training allows candidates to put the nominal PC.dp after their name and the IAAP allows the CIPP or CIPM, depending on the course taken. You also have the BCS Practitioner training available.
When engaging a consultant check the qualification they hold and ask about the experience they have dealing with data protection issues.
All of the team at Propelfwd have or will go through the PDP training programme and must complete CPD hours annually to keep up with the latest trends and regulations in the data protection world.
What does a Data Protection Officer (DPO) do?
A DPO is a person within your organisation who holds a mandatory position if your organisation is legally required to have a DPO.
In certain circumstances, organisations must have a DPO to oversee the data handling within the organisation, be a contact point for data subjects, a point of contact for employees, be there to give guidance, support and advice to the Board and ensure the organisation is complying with the requirements of the data protection law.
The law says:
Article 37 (1). The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
So, if your organisation falls within this definition, you Must have a DPO. If not, you do not need to have a DPO overseeing the data protection arrangements within the organisation.
If you still put in place a ‘Voluntary’ DPO position, the law is clear, that person is bound by the requirements of the law as if they were holding a mandatory position.
The advice from the European Data Protection Board (EDPB, ex-Art 29 working Party) is that if you do not legally require a DPO and have a person in charge of your data protection activities within your organisation DO NOT call them a DPO.
Call them a Data Protection Manager, Champion, Lead, whatever but not a DPO.
What qualifications does a data protection officer need?
The GDPR says in article 37 (5); The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
Those tasks are specifically:
(a) to inform and advise the controller or the processor and the employees who carry out the processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
Can Data Protection Officers be someone from outside of your organisation?
Yes, your DPO can be an employee or an outsourced person or organisation. The law allows for this exact situation under article 37 (6); The data protection officer may be a staff member of the controller or processor or fulfil the tasks on the basis of a service contract.
It is becoming a more popular choice for organisations to outsource the position of DPO and Data Protection Manager (DPM).
This not only saves the organisation on the employer costs of having another full-time employee, training and employee sufficiently to fulfil the role of DPO to a satisfactory level and having the resilience when that member of your team is on holiday or off ill.
Having an organisation as your outsourced DPO resolves all those issues.
Outsource your data protection officer with Propelfwd
Propelfwd has a team of highly skilled and experienced data protection professionals who are at hand to look after an organisation’s data protection needs.
They have the skill set to comply with the requirements of Article 35 (7) GDPR.
Propelfwd has experience working with all sizes of organisations, Public and Private sectors, charities, sports clubs, pharmacies, medical practices, counselling services, religious organisations, and many more.
This experience in dealing with the various data activities, laws, conditions and processing gives Propelfwd an advantage when starting with your organisation. The team already know the difficulties you face and how to address them.
Propelfwd also works in a number of jurisdictions including, Jersey, Guernsey, UK, Isle of Man and Ireland. We have had to deal with clients in South Africa, USA and Canada, so fully aware of the requirements of those data protection laws, data transfers and the risk involved in those.
How much does a data protection officer earn?
Salary ranges for DPOs differ from business sector to sector. It can be as high as £120k or as little as £50k pa, totally depending on the business they are employed for and any other responsibilities added into the job description by the organisation.
Remember the role of the DPO, if it is mandatory, must have an independent element to it and report directly to the highest level of leadership.
There cannot be any other conflict with responsibilities. Organisations in the EU have been fined heavily by the Commissioners for appointing the Head of Compliance or the Head of IT as the DPOs.
So think very carefully about who you appoint if you are appointing internally.
This is another great advantage of outsourcing this position to a professional organisation like Propelfwd. You remove the conflict element immediately.
Do small companies need a data protection officer?
It is not about the size of an organisation, it all depends on the definition used to see if the DPO is a legal requirement or not. Article 37 (1) above gives the conditions when a DPO is required.
If the organisation fits into that definition, no matter the size of the organisation, it will require a DPO.
Can a CEO be a data protection officer?
The simple answer is, NO. As stated above, there cannot be a conflict of roles between the DPO and any other role with responsibility and the say on data activities within the organisation.
Organisations have been fined for having the Head of IT or Compliance as the nominated DPO, because of the conflict in roles.
If an employee of the organisation has no other conflict or say in a data processing activity, then they can be the DPO for the organisation.
But, you need to remember the DPO is a point of contact for the Data Subject and must act as an independent person on behalf of that data subject.
The DPO cannot be biased toward the organisation, so this will be very difficult for an employee to do.
Propelfwd has a team of professional privacy officers ready to be your Data Protection Officer or Managers. They all have appropriate training, undertake continuing professional development and are skilled GDPR practitioner professionals.
Propelfwd will never call in sick, not be available because we are on holiday or unable to assist with compliance issues because we are too busy.
You will not have the conflict nightmare or have to worry about getting the right training course for the team. That is the responsibility of Propelfwd to keep the team up to date with the UK data protection act and ensure individual and organisational responsibilities are maintained at all times.
Propelfwd is a training provider, offering candidates upon successful completion a certificate in data protection laws or a practitioner certificate in data protection. Propelfwd will handle all your subject access requests, data protection laws issues and data breach
Contact Propelfwd for more information.