The Role of the Data Protection Officer
Organisations in the UK that control or process personal data of EU citizens have until May next year to comply with the new EU General Data Protection Regulation (GDPR). The Regulation replaces the Data Protection Act 1998 and will impose many new and onerous obligations on UK organisations.
It is becoming clear that the impact this will have is not fully understood or appreciated. For example, there is a common misconception that only large organisations and public authorities will need to appoint a Data Protection Officer (DPO).
GDPR actually makes it mandatory to appoint a DPO in organisations:
- where the processing is carried out by a public authority or body;
- where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
These criteria apply to far more organisations than many people realise. You should try to establish whether your organisation is caught within the scope of this requirement and you must appoint a DPO. We have produced another article that explains the criteria in much more detail and will help you come to a conclusion – read it here.
What will the role of the DPO involve?
The role of the DPO is codified in Article 39 of the GDPR and includes educating and training the organisation and employees on GDPR compliance, conducting data audits, monitoring performance, maintaining comprehensive records of data processing activities and serving as a point of contact between the company and the Information Commissioner or individual data subjects.
A DPO can be an external appointment - many new consultancies and agencies are springing up to meet this demand. If you appoint someone internally, they must be independent of the Board and the management of the data. Almost like an internal auditor, they must be robustly independent and not sanctioned for any decisions or actions based on their findings.
The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
The DPO is permitted to have other duties if those duties do not result in a conflict of interests. This means that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case. As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.
Want to know more about the role of the DPO?
If you would like to know more about the Role of the Data Protection Officer under GDPR, then you would benefit from attending our half-day course on this topic. This course is essential training for all organisations caught within the scope of the new requirement to appoint a Data Protection Officer under the EU General Data Protection Regulation (GDPR). During the course, our expert presenter will explain the DPO requirements and how they apply to your organisation. It will also clearly explain where the DPO should fit in the organisational structure, what you need to consider when appointing and the duties of the DPO as set out in the GDPR.
You may also want to consider our comprehensive full-day course which covers everything you need to know about GDPR. Preparing for the General Data Protection Regulation, is a step-by-step guide to GDPR and will help you understand what you should be doing now and in the coming months to prepare for the changes.