It is no secret that a lot of businesses have struggled with understanding, and indeed meeting their obligations since the introduction of the GDPR… and possibly before but the smaller fines meant that the risk was tolerated in many cases.
Are you considering whether you need to appoint a Data Protection Officer? A popular option for many businesses is to appoint an Outsourced Data Protection Officer.
What does the law say?
Under the UK GDPR organisations are required to appoint a Data Protection Officer (DPO) in certain circumstances. Data Controllers must appoint a DPO if core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
The Information Commissioners Office is the governing body for data protection law within the UK and they have created a toolkit to help businesses assess whether a DPO is required.
What risk are you willing to accept?
Considering your businesses obligation to appoint a DPO is just one piece to the data protection compliance puzzle. You are required by law to appoint a DPO in certain circumstances but what are the risks if you don’t?
Since the introduction of the GDPR we have seen a number of fines across Europe in response to failures around appointing a Data Protection Officer, we have listed a couple of examples below:
- The Spanish data protection supervision authority fined Glovo App €25,000 for failing to appoint a DPO in 2020.
- The Dutch data protection supervision authority fined Locatefamail.com €525,000for failing to appoint an EU representative and other contraventions under the regulation. But the Authority went even further: the company were given until18 March 2021 to appoint a representative, failing which it must pay €20,000or every two weeks that it’s in breach of this requirement, up to a maximum of €120,000.
Risk vs Benefit.
Thesizeable fines which can be imposed for failure to appoint a DPO is one clear risk that businesses will surely want to avoid… but let’s face it there are far greater risks which come as a result ofnot having a qualified Data Protection Advisor.
Most businesses will process some form of personal data whether that be employees, website users, customers, or prospective customers. Such data collection in the course of your business means you are subject to data protection laws, of which there are various requirements in addition to the question of whether you legally need to appoint a DPO.
Wider areas of risk under data protection laws:
- Digital Marketing – If you are undertaking marketing activities, particularly digital marketing, the risk of enforcement action is substantially increased. You only have to take a look at a list of recent enforcement action by the Information Commissioners Office to recognise the lack of tolerance for breaches of the PECR and failure to obtain valid consent under the UK GDPR.
- Information security practices – failing to have sufficient organisational and technical security standards in place demonstrates a lack of accountability which substantially increases the risk of enforcement under data protection laws. In addition to robust proactive measures it is essential that businesses have robust reactive processes in place to identify and mitigate the impact of personal data breaches. There are some high profileexamples where companies failed to identify that breach had occurred for months, this was seen to be an aggravator at the enforcement stage.
- Compliance with Data Subject Rights –it is essential that businesses comply with and promote data subject rights. The Information Commissioner’s Office recently took action against seven organisations who failed to comply with their obligations in respect of providing individuals with copies of their data. This right is known as a Subject Access Request (SAR) this is one of the most commonly exercised rights under data protection legislation.
Having a qualified Data ProtectionAdvisor (and being willing to accept their advice) should drastically reduce the likelihood of you receiving hefty financial penalties in these specialist areas of data protection law. Let’s not forget, it is not just enforcement action that businesses need to be mindful of when assessing their risk appetite, key considerations also include reputational damage and litigation risks.
How can Midland Data Protection help?
Data Protection roles can be very difficult to recruit to, we aim to assist by offering expert support at an affordable rate.
We have a pool of consultants with experience in a variety of sectors, we carefully match the correct consultant to your business.
Wherever possible we want to enable you in meeting business objectives, obviously our primary focus is protecting you from enforcement, litigation and reputational damage in the field of data protection wherever possible, and ultimately helping you comply with data protection laws.
We offer a number ofpackages which can be tailored to your business needs, some of the benefits of our outsourced Data Protection Officer service include:
- Access toexpert consultants
- Annual Staff training
- Robust toolkit of policies and procedures
- Privacy notice templates
- Template information sharing agreements
- Access to email, telephone videoconferencing support
- Data Protection rights advice
- Information sharing advice
- Data Protection Impact Assessment support
- Data breach support
- Quarterly newsletters to help you stay up to date with the latest issues that might impact your business
- Dedicated representative
- DPO ICO Registration
Contact us for a discussion regarding our affordable Data Protection Officer Services.