Connect with us

BUSINESS

GDPR and the Need for a Data Protection Officer – What’s Your Obligation?

GDPR and the Need for a Data Protection Officer – What’s Your Obligation?

The General Data Protection Regulation (GDPR) is the first EU wide legislation to mandate organisations appoint a Data Protection Officer (DPO) in certain circumstances. Jan Van Vliet, VP and GM, EMEA, Digital Guardian, examines why it makes sense for organisations to bring a DPO on board.

The concept of a Data Protection Officer (DPO) for organisations processing personal data has been around for many years. However, the appointment of a DPO is a mandatory requirement under GDPR for certain types of companies, regardless of their size or whether they are processing personal data in their capacity as a controller or processor.

With just weeks to go before the GDPR comes into effect on 25 May 2018, organisations will need to establish if they need to appoint a DPO and who should undertake this important role.

Who is required to appoint a DPO?

Article 37 of the GDPR sets out three primary scenarios where the appointment of a DPO is mandatory:

  1. Data processing is carried out by a public authority or body, or
  2. The core activities of the controller or the processor consist of processing operations which require the regular and systematic monitoring of data subjects on a large scale, or

III.         The core activities of the controller or the processor consist of processing on a large scale of sensitive personal data or personal data relating to criminal convictions and offences.

In other words, if you are doing any sort of analytics regarding people’s behaviour – say tracking purchases or page views on a website to provide personalised ‘you may like this’ recommendations – or regularly process and manipulate data relating to people’s health, ethnicity, sexual orientation, religious or philosophical opinions, then you are required to have a DPO. However, if your firm only processes HR data then a DPO is not required.

The Article 29 Working Party (WP29), one of the EU’s earliest commentaries on the detailed provisions of the GDPR, sets out a number of examples of large scale processing that include the processing of customer data in the regular course of business by a bank or insurance company, behaviouraladvertising by a search engine, and data (content, traffic, location) processing by telephone or internet companies. It also points out that ‘regular and systematic monitoring’ is not restricted to online behaviour and gives examples of profiling for credit scoring, fraud or anti-money laundering prevention, location tracking, and health and fitness tracking by wearable devices which, if large scale, will trigger an obligation to appoint a DPO.

What does a DPO do?

The GDPR is explicit about the tasks that DPOs are required to perform. These include informing the organisation and its employees of their data protection obligations and overseeing the training of staff, monitoring the organisation’s compliance and performance with GDPR and internal data protection policies, providing advice on data protection impact statements (DPIAs), serve as a contact point for individuals (data subjects) on privacy matters, and engaging with the ICO and acting as its contact point.

The regulation stipulates the DPO must report to top level management, be given all necessary resources to carry out their functions and should operate independently and without instruction from their employer about how they carry out their tasks.

The guidance also emphasises that the DPO is not personally responsible for non-compliance with GDPR. Liability remains with the controller or processor to demonstrate that processing activities are performed in accordance with the GDPR.

Who should be appointed?

There are currently no mandatory qualifications for who can be a DPO, although according to WP29 the following people cannot be a DPO: chief executive, chief financial officer, head of IT, head of marketing, chief operator officer or the head of HR, as this may result in a conflict of interest. Which makes it more likely that someone from in-house legal or compliance will be a popular choice and Article 37 does require the DPO to have ‘expert knowledge of data protection law and practices’.

It’s worth noting that the ICO confirms that firms can contract out the role of DPO externally with an individual or organisation. Having said that, any external DPO must have a good understanding of your firm’s data processing operations in order to be of real value.

Because DPOs need to have a complete understanding of the IT infrastructure and technical and organisational structure of the business, the best place to start looking for a DPO will be within the existing employee base.

Even if your firm does not have to make a mandatory DPO appointment, there are clear benefits to appointing one on a voluntary basis. Not will this demonstrate to the Information Commissioner’s Office that you are serious in your commitment to comply with your data protection obligations – it also sends a strong message to customers. A DPO is not required to be a permanent employee, but the data security knowledge and expertise they can bring to a business can be priceless.

Continue Reading
Editorial & Advertiser disclosureOur website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.

Recent Posts