Virtual data protection officer service helps UK businesses with GDPR compliance [Q&A]
With GDPR coming into effect on 25th May, many organizations will find themselves needing to appoint a data protection officer in order to comply.
But appointing full-time compliance staff can be a difficult and costly exercise. Which is why cyber security company ThinkMarble is launching a Virtual Data Protection Officer (VDPO) service.
The service will offer UK businesses access to a skilled team of cyber security and risk mitigation lawyers that can act as their Data Protection Officer (DPO) under GDPR. The lawyers will work alongside ThinkMarble's multi-disciplinary team of security analysts, incident responders and penetration testers to provide a fully comprehensive and bespoke service to businesses.
The team will act as the main contact point for data subjects, such as employees and customers, and help raise awareness and train in-house staff on the importance of data protection. Another function is to provide regular, comprehensive reports that advise on appropriate data security measures and risk mitigation at board and management level.
We spoke to Andy Miles, founder and CEO, and Robert Wassall, data protection lawyer and head of legal services at ThinkMarble to find out more about the offering.
BN: Why are you introducing this service?
AM: Something we spotted in the market is that is a need for a one-stop-shop for businesses where not only can we help protect them, we can have a full incident response team under one roof. Around 28,000 businesses are going to need a DPO once GDPR comes into force, but there’s a debate about who can and can’t be a DPO.
RW: The multi-disciplinary aspect of this is going to be unique. It’s an external service so organizations don’t have to take on people as employees with the associated costs, or go to the time and trouble of training somebody up.
BN: So, this is not just DPO it's part of a wider portfolio?
AM: Yes, but we don't mandate that anybody take any of the other services. If they take the VDPO service we well support them over the year. They'll get a monthly webinar with the legal team here. We will also review the client’s policies on a regular basis.
BN: Isn't it important for a DPO to have some inside knowledge of the business and the data it holds and uses?
RW: Yes, it depends on how specialist the business is. They don't need to know the business inside out but they do need an understanding of the type of personal data they would be processing and the risks associated with it, plus the risks caused to the data subject by that processing.
AM: We go through a due diligence phase when we take clients on to understand their sector and their business. We also need to understand where they are in terms of their existing data protection level. Something we heard in beta testing this was that people preferred to have an outsourced DPO service. They prefer external counsel that can engage with senior management at a direct level to give a very firm view of what the law is.
RW: Article 37 of the GDPR says that DPOs must have 'relevant expertise' in European and national data protection laws and practices, and an 'in-depth' understanding of GDPR. Yet companies are appointing people as DPOs on the basis of a five-day training course.
BN: Will there be a skills shortage in this area?
RW: There is a skills shortage. We're on the cusp of creating a new profession of DPOs as a direct consequence of GDPR. Other organizations in this area have one skill base, they may be a lawyer, they may be techies, but what we offer is a combination that is highly attractive.
AM: We have an information security officer in house and can also offer that as a service, so we can very rapidly bring both a legal team and a CISO to the table. A small to medium business simply couldn’t afford to have this sort of team in-house.
BN: Is this particularly aimed at small to mid-size businesses?
AM: The original premise of the business was to target the SMB market. However, we've been approached by four or five plcs, so we’re quite happy to deal with bigger firms too.
BN: What's the current state of GDPR preparedness?
RW: It's obviously mixed but I think they large organizations are pretty well in control. There are some exceptions, but it's patch, there will be an awful lot of organizations who are not going to be ready for this, and some who haven't even started to prepare.
AM: We work a lot in the legal sector and there are firms that are giving advice on GDPR, yet we're helping them to prepare! It will be interesting to see what the ICO is going to do after the 25th of May.
BN: Will it take someone being fined under GDPR before some companies start to take it seriously?
RW: Yes, a lot of businesses are struggling to get ready because they're not doing what they should be. Also for those that are not required by law to have a DPO many won’t bother. I think a lot of those are going to come unstuck. They still need to have a discussion around whether they need a DPO and record that they've had the discussion and -- if they decide not to appoint a DPO -- the reasons why. If there's an incident that the ICO investigates they will ask about whether you have a DPO and if not why? In future it will be expected that companies have a DPO, it will be a badge that they're taking data protection seriously. Having an external DPO will emphasize that even more.
AM: This comes down to reputation, it's not just about being investigated and fined, it's about reputational damage going forward. It's alarming that many people still have their heads in the sand and don't know what to do.
You can find out more about the VDPO service on the ThinkMarble website.