ABC of GDPR – BANISHING THE MYTHS ABOUT DATA PROTECTION OFFICERS
Who must have a DPO?
Although the data controller or processor is always going to be responsible for compliance obligations (DPOs are not personally responsible for non-compliance) the role exists, in part, to help with added responsibilities under GDPR. Some organisations MUST appoint a Data Protection Officer or a DPO. Those organisations include:
- Most public authorities
- Organisations who carry out large scale systematic monitoring of individuals, such as online behaviour tracking
- Organisations who carry out large scale processing of special categories of data (more sensitive personal data) or data relating to criminal offences and convictions.
What is “large scale” is going to depend both on the job and the data being processed, but, for example, we know that processing of customer data as part of your everyday tasks modest size business could well be “large scale”.
Do we need a DPO?
Whilst many organisations don’t need to appoint a DPO the ICO, who will be the supervisory body, for GDPR, believe that it may be beneficial to do so anyway because if GDPR applies to you, then you must
- comply with data protection obligations AND
- be able to provide proof that you do this – this is additional work which has to be done by someone who has the knowledge to implement compliance
Can I have an outsourced DPO?
Your DPO doesn’t have to be employed by your organisation – you can contract out the role. In fact, this could well be better for your organisation because DPOs must
- Operate independently from your organisation, without being told how they carry out tasks and what results should be achieved
- Report always to the “highest management level” so the business owner or board of directors’ level
- Be given adequate resources so that they can meet GDPR obligations. Resources like enough time and support and access to all the information and input that is needed
- Be able to perform their role without being in any way penalised (sacked or treated differently)
- Not perform other duties if this could cause a conflict with their DPO role. Although this will depend on the circumstances, if being a DPO is only part of someone’s duties (for example they are also a manager or hold a senior position such as in HR, IT or marketing) ) then this could be a problem
What exactly does a DPO do?
The role of a DPO is varied and quite complicated and whilst GDPR obligations do feature heavily in the role, it’s about data protection generally and so would, for example, include the Privacy and Electronic Communications Regulations as well as other legislation.
We know that a DPO needs to understand the risks associated with data processing and the safeguards which that can be put in place to prevent or at least mitigate them. DPOs must also do at least the following too:
- Generally, raise awareness of data protection by letting everyone in the organisation know about their obligations to comply with data protection law, including GDPR
- Advise and monitor how the organisation is complying with data protection obligations generally. This would include
- Assigning responsibilities
- managing internal data protection policies, procedures and activities
- training staff
- conducting internal audits
- giving advice about the necessity of data protection impact assessments and how and when to do them
- To be the first point of contact for
- individuals whose data is processed by the organisation, for example, your clients/customers and employees, including dealing with any complaints
- the ICO and/or any other relevant supervisory authorities, including for any breaches of data protection
If you need help on any GDPR matter please email us at [email protected] or call us on 01244 300413