Since the GDPR went live, the role of the Data Protection Officer (DPO), whether full time or managing the duties in conjunction with another role, has become increasingly embedded in the day-to-day operations of organisations. They have become relied upon to answer a myriad of queries as awareness of data protection obligations has increased through training and practice, and are trusted to help deal with data breaches of all sizes in a timely manner. Whether a full-time or part-time DPO, even Data Protection Officers are entitled to their holidays as well as having access to more significant leave of absence including potentially parental, maternity and sick leave. Planning for such absences should form a normal part of wider contingency planning to ensure delivery and course services. Several options are available to be considered, as we explain below.
Do we need to make formal plans?
We would suggest yes. This is primarily because of the importance of the DPO in:
- reporting breaches where necessary within the 72-hour window;
- acting as the primary contact point for other communications with the Data Protection Authorities. Certain Supervisory Authorities, including the Irish Data Protection Commission, expect to communicate with a named individual when contacting your organisation;
- helping data subjects exercise their rights over their data;
- supporting Data Protection Impact Assessments and other queries related to projects which may be time-constrained or about to go live;
- participating as a member of the Business Continuity senior team if a disruption to operations arises.
Documented plans to cover such absences, including resignations, will demonstrate the Board’s commitment to data protection and help meet the organisation’s obligations relating to accountability.
Ideally, your organisation will have more than one person dealing with data protection matters with such staff being suitably qualified and experienced. Potentially one of your team of data champions can stand-in to cover at least the shorter periods of absence of the DPO.
Considerations for internal cover
Where a suitable person (or persons) can provide cover, you will still need to take some measures to manage the absence optimally. These include ensuring:
- planned holidays and leave do not overlap;
- access to the DPO communication channels (email, landline / mobile) are provided;
- a formal handover and debrief are undertaken (and documented) to ensure any issues or urgent matters are handled smoothly going forward;
- communication with staff (especially reception, ICT and customer service managers) to notify them of the arrangements in place;
- employment contracts contain amendments to reflect the independence of the staff member when acting as the DPO and the higher level of confidentiality required.
For shorter temporary periods it is unlikely to be necessary to inform the relevant Data Protection Authority of the change at the helm. For longer periods it would be best practice to do so and to include any change in contact details and information relating to the length of new arrangements.
Where internal cover is not available
This can be a real anxiety for senior management as hiring a suitably qualified and experienced DPO for a full-time role remains a challenge, let alone for a temporary role. Promoting another staff member without training or suitable experience is also not really an option. One possible solution is to seek support services from a specialist service provider which may provide cover as part of a wider DPO Assist service offering.
The benefits of this type of service are multiple and can include:
- the ability to arrange such cover at relatively short notice;
- the flexibility of choosing which duties to keep in house (with some support where needed) or to outsource completely;
- transparent costing that removes the need to carry the cost of attempting to recruit a temporary DPO or which can allow time to recruit a suitable permanent replacement where necessary;
- access to additional services as and when required including auditing, training and technical advice;
Such services commence with a hand-over process where the DPO (or other role holders) will be asked to provide an overview of the organisation’s processing, an organisational chart and contact details for key contacts including ICT. A walkthrough of the breach reporting process and testing of access to the communication channels is also necessary. Ideally, there will be a primary contact point within the organisation to facilitate timely communication. At the end of the engagement, there needs to be similar hand over meeting where the returning DPO is briefed regarding any issues or matters dealt with and provided with any supporting documentation.
For longer-term engagements, such as for absences greater than 3 or 4 weeks, more detail will be required including access to core documentation such as the Record of Processing Activities, Data Protection Risk Register, Security Incident and Subject Access Request logs. It would also be advised that the relevant Data Protection Authority be notified on the new arrangement. Access to a Board member would also be strongly advised. All such DPO cover arrangements, irrespective of length, should be delivered under a contract that includes a clear commitment to confidentiality and secrecy with a data processing agreement attached.
If you would like to discuss accessing the provision of such services or require help in planning for wider business continuity events, please feel free to contact our advisors, who would be more than happy to help.