Share this content

Professional competence and due care

My new appointment to FD soured by pressure to be Data Protection Officer

Didn't find your answer?

Search AccountingWEB

Started new role in October 2017 as group FC at a tech SME. The previous FD was due to retire at the end of the 2018, but this has accelerated due to his ill health, and I have now been promoted to group FD.

I love the role, great company, and glad I made the move. However, I have been asked/told I will be the group Data Protection Officer, which having researched this I feel unqualified to do so. I have explained my concerns informally to the MD who quickly dismissed these and said he was amazed I was doubting myself for such a trivial task.

I made a point of bumping into the previous FD at dinner and took the opportunity to ask for his views, and he suggested that a Data Protection Officer was just "common sense" and I shouldn’t worry about the appointment.

Am I being unreasonable? Could this be a threat to the ACCA fundamental principles?

Replies (16)

Please login or register to join the discussion.

Flag of the Soviet Union
By thevaliant
18th Apr 2018 11:26

Although having only briefly worked in industry, I've seen it all the time. One of my first jobs was as a clerk, where the FD was also the IT head. He didn't know the first thing about computers.

Unfortunately, head of finance inevitably means you get roped into literally everything.

Heard an advert on the radio years ago, where a person asks another friend, "Steve, you're a solicitor aren't you?", friend replies "No, I'm an accountant.". First person then says, "Close enough. You see, I have this convoluted legal problem....."

Though personally, I think you may be worrying needlessly.

Thanks (0)
By jcace
18th Apr 2018 11:51

Is the company or group even required to have a DPO?
(The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities.)
If not, then maybe suggest changing the title so that the requirements of a DPO do not fall on you, but you can still oversee the data protection side of things.
(If you decide to voluntarily appoint a DPO you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.)
Brackets cite ICO guidance at

Thanks (0)
By Glenn Martin
18th Apr 2018 16:56

Comes with the role, as 2nd in command these things will always land on your desk, if there is no one else to do them.

In my FD days, I ended up as Immigration Officer, HR, HSE, Legal consultant, IT consultant etc.

I didn't know how to do it either, but had to learn as they would not pay for external consultants to come in and do it.

It does help you develop all round business skills though, and how to be resourceful to fix problems.

Stood me in good stead to one of them fancy, fine and dandy Advisory Accountants that the world now needs.

The truth is the role of the FD is maybe 30% finance and 70% other [***] no one else wants to do, but you wear a suit so must know what to do.

Thanks (5)
Replying to Glennzy:
Routemaster image
By tom123
18th Apr 2018 12:13

I certainly agree with the 30/70 split !

I also have GDPR responsibility, but we are not large enough to require a DPO.

Thanks (0)
By Cheshire
18th Apr 2018 12:21

I agree with Glennzy too. Anything that doesnt fit into a neat little box will land on your desk.

GDPR is new to us all and someone has got to do it. Who would you suggest at your company if it was not to be you?

Think of it as CPD and a new string to your bow plus how good will that look on your CV (OK slightly overstating that part, but seriously a good all rounder who is prepared to roll their trousers up and get stuck in can go further in life than a box ticker).

Thanks (1)
By andy.partridge
18th Apr 2018 12:24

Soften the blow and think,

* Delegate as much as you can to some other poor sod
* Attend formal training
* Source external advisor

Thanks (1)
Hallerud at Easter
18th Apr 2018 12:27

Do what all small business entities do when tasks drift outwith comfort zones, hire a specialist consultancy to manage the day to day aspects.

I am in charge of a lot of area about which I know very little, from staff contracts/HR/pensions to my input re health and safety, risk evaluation, staff training, insurance requirements, utility procurement etc. I have grasped the rudiments re each and then have consultants to advise re the nitty gritty, the fact is this is what all SMEs have to do and accountants are viewed as problem solvers in all areas. (I also deal with IT, fix computers,decide on software, make the coffee and on odd occasions heft the end of an 8X4 sheet of ply)

Thanks (0)
By paul.benny
19th Apr 2018 11:04

The MD dismissed (my concerns) said he was amazed I was doubting myself for such a trivial task.

It's not trivial. GDPR introduces the possibility of very large fines for organisations that do not take data protection seriously.

It's also not just common sense. As with internal controls - a control is empty if it's not evidenced, with data protection, you have to get it right and you have to be able to show that you're getting it right.

Agree with other comments that this goes with the territory of being FD.

Get yourself some training - there are lots of free briefings around at the moment.
Get your MD briefed so that s/he understands the
Get your IT people on board - especially those in product development so that this isn't an afterthought for them.

Thanks (0)
By Alonicus
19th Apr 2018 11:14

Data protection is increasingly important. But for most industries (exceptions being things like finance services etc) it's about reading the rules, applying them in a systematic way that both meets the legal requirements and is appropriate to your industry, and being able to produce evidence.

With GDPR coming in, I have seen quite a few consultancies trying to make it look more complex than it is in order to try to sell massively over-priced training and compliance services.

In your case, I'd suggest starting by looking at the information the ICO gives away for free (book a day free of day to day interruptions to do it !) and see if there are any gaps in relation to your business, or any concerns around conflict of interest. Then identify any formal training or setup needed to enable you to supervise the system while building the evidence-gathering into normal working practices and procedures.

Then you can go to the MD with a costed request for any training you need and an outline proposal for changes needing to be made in business processes.

It never hurts to have another good thing on your CV !

Thanks (0)
By rememberscarborough
19th Apr 2018 11:29

One of these days I'm going to update my CV to include everything I've done over the years as an accountant. Now where to put key cutting and driving a forklift (pre H&S....)

Thanks (0)
Routemaster image
By tom123
19th Apr 2018 14:52

I wonder (out loud) how large a business would need to be whereby the FD is only involved in accounting work.

Here, if it is not sales, engineering or manufacturing it falls to me.

Thanks (1)
Replying to tom123:
By lisaknowles
19th Apr 2018 16:43

I'd say there's no need for an FD if all that's required is Finance. The job is definitely not just number crunching. We're business leaders.

Thanks (0)
By lisaknowles
19th Apr 2018 16:47

I think as a business leader rather than just an accountant it is perfectly reasonable for Data Protection to be under your remit. The ICO website has some great resources, and if you feel overwhelmed you can book yourself a course and put a team together if the workload is too great for you to manage alone. This is the life of an FD, and ultimately as a director, the responsibility to have appropriate policies lies with you anyway, whether you feel qualified or not.

Thanks (0)
By arandall
20th Apr 2018 09:41

Agree with all the comments about FDs picking up what no one else wants - I've had that myself

With GDPR, however, there is a chance for us to fight back to some extent.
Unless you are a public body, where it is mandatory for you to have a DPO, it will depend on the business you are in and the personal data you are processing whether you need a DPO (Article 37 of the GDPR). If you do, then the FD cannot be the DPO. GDPR article 29 states that the DPO must act in an independent manner and cannot have a position that "leads him or her to determine the purposes and the means of the processing of personal data.". It states that as a rule of thumb this excludes senior management and possibly other management positions from being DPO as there will be a conflict of interest.
Plus, the DPO is expected to have the necessary skills, experience and knowledge to undertake the role. That doesn't mean a webinar.
So you may not be the DPO. Doesn't mean that the rest of it won't fall to you, of course.

Thanks (0)
By Suzanne2901
20th Apr 2018 09:43

I was promoted to Group Accountant nearly 3 years ago and I too have been landed with GDPR.
Reading these comments have made me smile as I have the same problems, anything anyone doesn’t know about “ask the accountant”
I thought it was just me!
But I have just had to get on with it and I feel quite proud that I am implementing something as important as GDPR.
It will look great on the CV and when payrise time comes around....
And some people think being an accountant is boring?!

Thanks (0)
By harrisp
26th Apr 2018 10:16

Although the GDPR allows DPOs to “fulfil other tasks and duties”, organisations are obliged to ensure that there is no “conflict of interests” between those activities and the formal duties prescribed under the Regulation. Most senior positions within an organisation are likely to conflict with the DPO’s duties (e.g. chief executive, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR or head of IT).

Thanks (0)
Share this content