The UK’s tax office, HMRC, has announced that it is seeking a new Data Protection Officer (DPO) to help the department navigate the complexities of the forthcoming EU General Data Protection Regulation Regulation (GDPR), which is due to come into effect in May 2018.
Despite the UK’s decision to leave the EU in 2019, regulators have decided to continue to comply with GDPR to keep close data links with other EU member states and have incorporated the new data protection rules into the recently announced Data Protection Bill.
GDPR has a number of requirements, which include:
- a requirement for consent – businesses will need to ensure that all customers know that you have their data and that they consent to the business having that data
- businesses will have three days to report data breaches to both the authorities and customers
- the Right to be Forgotten – customers will have the right to ask businesses to delete all of their data, and to prove that they have
- data portability – the aim being to create an environment where businesses can easily swap their data between different providers, whilst ensuring the data is erased from the old provider’s systems.
- hefty fines for data breaches will be introduced – up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater.
Businesses and government are rapidly trying to prepare for the introduction of GDPR. Recent government research found that 94% of FTSE 350 are under prepared for GDPR.
Introducing the candidate pack for the job, HMRC’s Jon Ashton, director of cyber security & information risks at the department, outlined the need for the creation of the DPO position. Ashton said:
You could be the first incumbent of this new role, which is mandatory under the General Data Protection Regulation (GDPR). This is a demanding role with significant leadership and assurance responsibilities across the whole span of data protection and data privacy issues.
This exciting high profile role is an opportunity to lead HMRC on its journey towards compliance with GDPR, working across HMRC and with the Information Commissioner’s Office, the UK’s regulatory authority for data protection.
This role will also be responsible for Information Governance in HMRC, an organisation with one of the largest and most complex technology estates in the UK.
I am looking for an inspirational leader who is up for the challenge of building and leading a new team to support the execution of HMRC’s GDPR obligations, drawing on resources from across the organisation and working with other DPOs in the public and private sector.
The candidate pack also outlined a number of potential challenges the successful applicant is likely to face in the first few months into the job. It states:
- HMRC currently holds over 2.5 billion pieces of data on individuals and businesses residing within the UK and needs to think about how it is compliant to GDPR legislation.
- HMRC recently moved 99 million Tax & NI accounts from old legacy systems into a new virtualized service.
- HMRC interacts with over 2 million individuals or businesses via its online Chabot and records these conversations to help prevent fraud, but how can it store these conversations and use the data?
- HMRC currently leads the way in Government with the use of automation – how will it hold data to enable the use of such technology.
- Working with other Government organisation’s how can HMRC ensure that all data held and shared meets the GDPR legislation
Candidates applying for the advertised role at HMRC – which carries a salary of almost £118,000 and will form part of the department’s Chief Digital & Information Officer Group – have until the 15th December to do so. Interviews are scheduled for January next year.
Image credit - Image free for commercial use