Data Protection – responsibilities and compliance
The requirements of the GDPR are significant, and even if you currently comply with existing regulations, you may need to update your current policies, develop new ones, and ensure that these are properly documented. This will necessitate, time, effort, and costs.
“But do I need to appoint a Data Protection Officer, if I haven’t already?”
Well, it is most important that someone in your organisation, or an external data protection advisor, takes responsibility for data protection compliance, and that you assess where this role will sit within your business structure and governance arrangements.
Such a person should have the knowledge, support, and authority to carry out their role effectively.
When you must appoint a data protection officer
The obligation to appoint a Data Protection Officer (DPO) applies to both controllers and processors and you MUST formally designate a DPO if you are:
- a public authority or body (except for courts acting in their judicial capacity);
- an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
- an organisation that carries out the large-scale processing of special categories of data, such as health records, or information about criminal convictions.
An organisation may appoint a DPO, regardless of whether the GDPR obliges you to do so. If you are not required to appoint a DPO, you still must ensure that your organisation has sufficient staff and skills to discharge your obligations under GDPR.
Role of the Data Protection Officer
The DPO is responsible for monitoring compliance with the GDPR, providing information and advice, and liaising with the supervisory authority, (the Information Commissioners Office in the UK).
The Regulation defines the minimum tasks of a DPO as:
- informing and advising the organisation and its employees about their obligations to comply with the GDPR and other data protection laws;
- monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments, training staff, and conducting internal audits; and
- being the first point of contact for supervisory authorities and for individuals whose data is processes (employees, customers etc.
This is an important role and the DPO must:
- report to the highest level of management within the business, and
- be able to operate independently and not be dismissed or penalised for performing their tasks.
The role of the DPO can be allocated to an existing employee and it does not have to be a full-time role. However, this applies only if the professional duties of the employee are compatible with the duties of the DPO and does not lead to a conflict of interest.
You can also contract out the role of the DPO externally.
Does the Data Protection Officer need specific qualifications?
The GDPR does not specify the precise credentials a data protection officer must hold, but it does require that they have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, considering the level of protection the personal data requires.
Action to take now
You should consider if your organisation is required to formally appoint a DPO under the Regulation. Even if you are not required by the GDPR, you may consider it to be worthwhile. If you do not appoint a DPO, you should determine who in your business will be responsible for data protection compliance.
In either case, you should prepare a job specification outlining the role and responsibilities and appropriate reporting lines.