GDPR: To DPO or not to DPO – a guest post
I’m frequently contacted by people who have products and services of relevance to my clients. For over 20+ years I have maintained a policy that I do not accept introducers fees or commissions – I simply broadcast and comment on good ideas.
According to the Information Commissioner’s Office (ICO), for the ongoing compliance with GDPR, it is a mandatory requirement* for the dental practices, whether NHS or private, to appoint an independent Data Protection Officer (DPO) in addition to meeting with GDPR requirements.
A lot of dentists may think that they don’t need the Data Protection Officer (DPO) function for their practice, or that the principal dentist or practice manager can add the word DPO in their title and the regulatory responsibility is fulfilled. There are a number of consideration to keep in mind.
First, the DPO has to be independent and must not have conflict of interest.
Second, dentists want to do dentistry and generate income for the practice, rather than spending time on learning Data Protection Regulation, legalese and details of IT & encryption technologies. Practice staff is already stretched, so they may not be able to accommodate a new but crucial responsibility effectively.
Third, the legislation with its recitals is over 150 pages long, the implementation requires a lot of knowledge about information systems, data storage, privacy regulations, roles and responsibilities, legal requirements and understanding of the technologies and methodologies.
Additionally, in some cases the principals and owners may not be willing to grant access to internal team members to have full access to their computers which may contain their confidential information.
The DPO Function has quite a few requirements, this role includes, for example, the following (non-exhaustive) list:
Data protection impact assessment (DPIA) (i.e. gap analysis and risk assessment)
Data inventory and data flow analysis
Supplier / vendor analysis
Findings and remediation
Frameworks, Policies and Advice:
Design of data privacy framework and documentation of policies and procedures
Advice on privacy rights management (information, access, rectification, objection, erasure and data portability)
Data protection awareness and training
Point of contact for all data protection matters
Administrative and ongoing work:
Provide guidance on data breach monitoring, management and reporting
Data subject access rights management
Consent/ opt-in management
Personal data processing register
Since compliance is an ongoing matter there are tools that can help with automating and streamlining processes associated data protection.
A practice could designate an internal team member, dedicated to providing the DPO function, however, for practices wanting to avoid the hassle, it is also possible to outsource the DPO role to external service provider companies.
Welltime (in collaboration with Data Decorum) is providing the external DPO service especially designed for Dental Practices. Created by a team of certified Risk Management and Data Privacy professionals with certifications in CISA, CRISC who are subject matter experts in data protection, privacy, IT audit/risk management and information security. We are able to provide an end-to-end solution for GDPR compliance in the dental industry, benefitting from over 10 years of automation and integrations experience. We take the practice through a managed, structured 6 weeks compliance journey where we systematically guide, assist and enable dental practices to achieve GDPR compliance in a cost effective manner. And with our tools and automation, we can help the practices to remain compliant.
If you have any questions, please feel free to get in touch.