Does your business need a data protection officer to manage GDPR requirements?
Data protection officers can help a company to account for regulatory requirements that will be ushered in by the GDPR - regardless of whether the new rules require them to employ one or not.
Businesses of all sizes are currently in the process of readying themselves for the new General Data Protection Regulation (GDPR), which represents one of the biggest changes to data security laws in recent memory.
The new European law - which will come into effect on May 25th 2018 - will give EU citizens enhanced control over their personal information, allowing them to rescind consent for companies to process their data, while also offering additional protection from data breaches. Since it applies to any organisation processing data pertaining to EU citizens, GDPR represents a regulatory shift with a global impact.
In order to manage this transition, many businesses are hiring dedicated data protection officers (DPOs) to oversee their overhauled data policies. While this can be useful, in many cases the decision to take this is step is being complicated by a lack of awareness of whether it is legally necessary to do so. As such, this represents an issue on which managers might benefit from greater clarity.
What is the role of a DPO?
Appointing a DPO or dedicated risk owner can help your organisation to cover a number of key GDPR processes, as they can take responsibility for determining each member of staff's obligations under the GDPR and monitor compliance with the policies in place for the protection of personal data, including staff training and audits.
They are also responsible for providing advice in relation to data protection impact assessments, and for acting as the main point of contact between the business and the Information Commissioner's Office, the body that will be overseeing GDPR compliance in the UK.
Although becoming a DPO does not require any specific qualifications, it's important to note that appointees need to be independent, and cannot therefore have any role in the company's current approach to collecting and using personal data. As such, it's likely to be best to select a member of the legal or compliance team to take on the role.
Is your organisation required to hire a DPO?
For many firms, the choice to hire a DPO will be one they can decide for themselves, but it's vital to remember that other organisations will be legally required to employ one as part of their GDPR responsibilities.
In cases where data processing is carried out by a public authority or body, a DPO will be compulsory, and this will also be the case when the core activities of the business consist of processing operations that require regular and systematic monitoring of data subjects on a large scale. Additionally, DPOs will be needed if your organisation routinely handles sensitive personal data, or information relating to criminal convictions and offences.
It's essential that your company does the legwork to find out whether they are deemed to occupy any of these categories, as a failure to adhere to DPO compliance obligations may result in a fine of up to €10 million, or two per cent of annual worldwide turnover - whichever is higher.
What are the benefits of having a DPO in-house?
Naturally, this means that any company that is required to appoint a DPO should do so as soon as possible; however, even for those that are not affected by this obligation, taking on a DPO can still be a positive step.
After all, making the necessary changes and implementing the appropriate learning and development policies to account for the GDPR reforms is likely to be a complex, broad-ranging process, especially for larger organisations. Centralising responsibility for these tasks can help them to go much smoother, while also providing everyone in the company with a designated point of contact.
Moreover, hiring a DPO will act as a demonstration that your business is taking its new responsibilities seriously - a vital consideration if you wish to remain a trusted steward of personal data among clients and regulators in a post-GDPR landscape.