Try casting your mind back to two years ago. Back then, organisations were busy preparing for the General Data Protection Regulation, our e-mail inboxes were brimming with consent requests and, at business conferences, the topic of privacy was unavoidable. An entire privacy industry formed dedicated to achieving and maintaining compliance with the new laws. I know. I was part of it. Two years on, where are we?

Since GDPR went live, I am sure we have all heard of some of the egregious failings. Locally, the Lands Authority case springs to mind. Internationally, the Marriott Hotel Group suffered an enormous breach affecting hundreds of millions of customers. On the other hand, below the radar, in organisations which have taken privacy seriously and designed their processes with privacy in mind, data protection protocols have become embedded within the organisation.

Entities should have reached the business-as-usual stage by now and, in reaching that milestone, many local firms have discovered that having a fully dedicated privacy professional is excessive to their needs – full-time data protection officers (DPOs) have taken on other responsibilities and part-time DPOs have become more part-time. There’s a risk that privacy practices become so embedded that they disappear.

For certain types of organisations, a DPO is a regulatory requirement. For any organisation, having a DPO shows a commitment to the privacy principle of accountability which is likely to be welcomed by all stakeholders, not least privacy regulators. As set out in Article 39 of the GDPR, the basic, mandatory tasks of the DPO are to: ensure awareness of the organisation’s privacy obligations at law; co-operate with regulatory authorities; monitor compliance with data privacy policies and procedures; and advise on data protection impact assessments (which should be carried for certain new types of processing).

The DPO would also get involved with data subject requests, dealing with actual or potential breaches and as an internal sounding board on any matters having a privacy dimension.

To achieve independent, reliable and proportionate privacy arrangements, outsourcing is an option worth considering. The GDPR is clear on the permissibility of such arrangements. Article 37.6 of the Regulation states that even the core role of the data protection officer can be fulfilled ‘on the basis of a service contract’.

Such a written contract should clearly state the roles and responsibilities of the outsourced provider. The work involved for certain elements, such as training and oversight, can be estimated with a good degree of certainty and can be covered with a fixed fee. Other elements, such as dealing with data subject requests or breach-handling, would be variable in nature.

From a value perspective, the key benefits of an outsourced arrangement are efficiency and flexibility. Like a doctor examining a patient, an experienced and expert privacy professional will be familiar with the vast majority of privacy cases that he or she encounters and can make a swift and suitable diagnosis. Your service provider should also have ready access to a back- up team to provide support for trickier situations or where specialist skills are required.

Privacy obligations aren’t going to disappear. For many organisations, outsourcing is a sensible option to achieve your privacy objectives within a budget.

For more information on how ARQ’s privacy team can assist, contact Dominic Fisher at dfisher@arqgroup.com.

Dominic Fisher, Head of risk and compliance, ARQ Group

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.