The Role of the Data Protection Officer
Organisations in the UK that control or process personal data of EU citizens have until May next year to comply with the new EU General Data Protection Regulation (GDPR). The Regulation replaces the Data Protection Act 1998 and will impose many new and onerous obligations on UK organisations.
It is becoming clear that the impact this will have is not fully understood or appreciated. For example, there is a common misconception that only large organisations and public authorities will need to appoint a Data Protection Officer (DPO).
GDPR actually makes it mandatory to appoint a DPO in organisations:
- where the processing is carried out by a public authority or body;
- where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
These criteria apply to far more organisations than many people realise. You should try to establish whether your organisation is caught within the scope of this requirement and you must appoint a DPO. We have produced another article that explains the criteria in much more detail and will help you come to a conclusion – read it here.
What will the role of the DPO involve?
The role of the DPO is codified in Article 39 of the GDPR and includes educating and training the organisation and employees on GDPR compliance, conducting data audits, monitoring performance, maintaining comprehensive records of data processing activities and serving as a point of contact between the company and the Information Commissioner or individual data subjects.
A DPO can be an external appointment - many new consultancies and agencies are springing up to meet this demand. If you appoint someone internally, they must be independent of the Board and the management of the data. Almost like an internal auditor, they must be robustly independent and not sanctioned for any decisions or actions based on their findings.
The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
The DPO is permitted to have other duties if those duties do not result in a conflict of interests. This means that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case. As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.
If you are still not sure whether or not you must appoint a DPO then you should contact the Information Commissioner’s Office for further advice.
Our extremely popular one-day course, Preparing for the General Data Protection Regulation, is a step-by-step guide to GDPR and will help you understand what you should be doing now and in the coming months to prepare for the important changes. The course will show you how to comply with the Regulation and what will change from the existing legislation. It will explain the new rules regarding the legal basis for processing, consent, privacy notices, control of personal data, mandatory breach reporting, complaints and penalties. The financial penalties for non-compliance will be very substantial so it is absolutely vital that your organisation is fully prepared as early as possible.