DPOs - who needs them?

You need to appoint a DPO in the following circumstances.

  • You are a public authority.
  • Your core activities involve monitoring individuals’ behaviours on a large scale, such as on the Internet.
  • Your core activities involve large scale monitoring of special category data.

Examples of large-scale processing include the following.

  • A hospital (but not an individual doctor) processing patient data.
  • Tracking individuals using a city’s public transport system.
  • A fast food chain tracking real-time location of its customers.
  • An insurance company or bank processing customer data.
  • A search engine processing data for behavioural advertising.
  • A telephone or internet service provider processing user data.

If in doubt, check out the ICO’s website

The DPO can be an internal employee or someone external. A company can appoint a DPO, even if not required to do so by law.

The DPO and the data protection function

Given the legal requirements of data protection, the person appointed as a DPO is often a lawyer. However, the data protection function, for which the DPO is responsible, also requires a knowledge of the technical requirements of data protection, as well as a knowledge of the business. It is unusual to find all these skills in one person, so the DPO usually has a team whose members cover the required skill sets.

N+S can help your company supplement any skill shortages in its data protection function. In addition to cybersecurity skills, we can provide Certified GDPR Practitioners to help you meet your data protection obligations. Contact us.

Cybersecurity - no longer just a technical issue

Cybersecurity threats have become more complex and the consequences of failure have become more severe, both financially and legally. Cybersecurity is now a boardroom issue, as the directors are ultimately responsible. Effective cybersecurity needs to be supported from the top. There has never been a greater need for good communication between the CISO (chief information security officer) and the board.

So - what’s the problem?

In our experience of dealing with many different types of company, when the relationship between the CISO and the board is less than ideal, as it often is, poor communication is usually the cause. The two sides typically do not speak the same language.


CISOs generally come from a technical IT background. They are capable of describing the security problems and requirements from an IT perspective. We have trained a number of CISOs and aspiring CISOs. What they struggle with is putting their case to the board in terms which are likely to resonate with directors, particularly financial terms. Security expenditure is often just seen as a cost, without any consideration of RoSI (return on security investment).

The Board?

There is usually also a problem at board level. Few directors have a background in cybersecurity or IT, and so are unable to bridge the gap. While there may not be need for an executive director with this level of experience, there is scope for an advisory role that could be filled by a non-executive director (NED). Unfortunately, even for those companies that have NEDs on their boards, there are few NEDs with this level of expertise.

How we can help

We have some experience of training CISOs in communicating effectively with boards. We also have a NED with some knowledge of what it is like to be on the other side of the fence. If this is an issue that your company would like to address, contact us about providing tailored consultancy/training.