Call us on 03450 21 21 51

Who should be appointed as DPO? And 5 other questions you need to be asking within your business
The SRM Blog

Who should be appointed as DPO? And 5 other questions you need to be asking within your business

Katie McMillan

Written by Katie McMillan

23rd December 2019

Share this article

business continuity planning

We don’t always appreciate awkward questions; they can make us feel uncomfortable. But if there is a possibility that you are leaving your business vulnerable to cyber attack, you will know that the alternative is worse. This is made apparent in the latest data which shows that as many as 88% of UK businesses have been breached in the last 12 months, with well over a third (37%) forced to report a breach to the ICO[1].

Many of these organisations, particularly SMEs, simply aren’t able to recover from the financial or reputational consequences of a serious attack. And that makes it even more imperative that companies look to get their processes, procedures and personnel in order as we head into the next decade.

If it’s clear that you aren’t doing enough to safeguard against information security threats, here are a few quick questions you should be asking within your team:


Who should be appointed as DPO? 

Not every business is legally obliged to appoint a data protection officer (DPO) but that doesn’t mean that they shouldn’t have one. Small organisations are typically not bound by the same GDPR requirements as their larger counterparts when it comes to appointing a DPO – yet it is important that every organisation has someone accountable and responsible for the security of information.

The DPO role is designed to monitor compliance with GDPR and other data protection obligations. They must be independent experts in data protection, adequately resourced, and report to the highest management level. This can be a tough role to fill.

Thankfully, the GDPR provides organisations with a number of options for finding someone who meets the exacting standards. The DPO role can be filled internally with an employee focusing on data protection and compliance alongside other responsibilities (as long as there is no conflict) or the DPO role can be shared with other businesses or outsourced to a professional service provider.

The benefit of outsourcing the DPO role is that genuine expertise can be provided in a cost effective manner, rather than tasking an ill-prepared member of the in-house team with this responsibility. External DPO provision also means tapping into expertise that can add real value in terms of business continuity planning and disaster recovery planning. While an external DPO will not hold overall accountability for data protection (that must always remain with a senior individual within the organisation), they will act as a valuable resource and help to ease the strain on the team within an organisation.


Do you regularly backup your data and is that backup held securely?

Backing up your data shouldn’t be considered a chore; instead it needs to be treated as an essential feature of your continuity plans. This can be done in a variety of ways including a USB stick, the cloud or a separate computer. Access should be limited to those who need it and it is important that the backup link is not permanently connected. For added security, the backup should be held in a separate location.

Remember, too, that a one-off duplicate won’t be of much help a year down the line. Instead, you’ll need to backup on a regular basis.


Do you take specific steps to reduce the risk of malware?

Malware is malicious software designed specifically to cause harm. When it comes to this dangerous type of threat to your information security, prevention is undoubtedly better than a cure. Deploying the right antivirus software and firewalls should be considered alongside staff training and general business awareness programmes.


Do your employees know how the respond to a potential phishing attack?

Phishing involves the use of fake emails to ask individuals for sensitive information that could compromise a business. Phishing attacks are often difficult to identify and even the most observant can be duped. It is therefore important to restrict access to those who need each specific level of information. Training can help staff to understand how to identify potential phishing emails and they should also have a clear reporting pathway in the event that they spot something suspicious.


Are you relying on passwords alone to provide protection?

Relying on password protection alone can leave your organisation vulnerable. Of course, laptops should always be password protected but encryption products can provide added security. Although most modern devices have inbuilt encryption it is important that these are set up and configured correctly. In addition, two-factor authentication, where the user needs to use two different methods to determine their identity, provides a much higher level of security.

Increasingly, fingerprint or facial recognition are helping to reduce the need for passwords. However, in many cases it is still advisable to utilise a password manager within your business, enabling you to create and store complex passwords across the organisation’s various hardware and software tools.


Do you have a protocol for keeping your employees’ devices safe?

With increasing amounts of data being stored on laptops, smartphones and tablets, the fact that they regularly leave your business premises presents a challenge. Staff training and awareness are of vital importance here, with strict protocols for using password protection. These need to be suitably complex, not easily guessed from social media profiles, and fingerprint recognition should also be considered where possible.

Think also about implementing strict protocols for reporting lost or stolen devices which include them being tracked, remotely locked or even wiped. All relevant updates should be installed and apps kept up to date. Above all, employees should be aware of the risks presented by unknown WiFi hotspots, and encouraged to use the device’s mobile 3G or 4G networks which provide more security.


If the answer to any or all of these questions is “no”, there’s no need to panic. But there is a very real need to make improvements to what information security professionals would call your “risk posture”. By breaking down what you do well, what you’re not quite as competent at, and what you’re completely neglecting, it’s possible to lay the foundations for a remedial plan. The easiest thing to do is simply pick up the phone or email us and chat through your concerns. At SRM we won’t try to terrify you into buying services you don’t genuinely need; instead we’ll help to accurately scope out your requirements (free of charge) and then give you a realistic idea of what it will take to reduce your risk.

Contact us now on 03450 21 21 51 or





Back to top