Here’s the big belief many people have – GDPR is just another set of regulations that won’t be enforced. The truth is if you aren’t keeping up to date with these changes, it could cost you more than you think. So if one of the questions you’re asking yourself is “do I need a Data Protection Officer” just know that designating a DPO could save you many GDPR headaches which you’ll discover in this post.
What constitutes ‘Large scale’ has yet to be defined. It is likely that only case law will do so over time. However, it is as much about the categories and sensitivity of the data you process, as much as it is about the number of records. The more sensitive the nature of the data processed, the lesser the number of records you process will need to be.
You can appoint your DPO from within your organisation, however the Regulation requires that (amongst other things) they must have ‘expert knowledge of data protection law’ and the responsibilities of their role must not conflict with the duties required by the role of a DPO. There’s more guidance on appointing a DPO on the ICO’s website.
Generally, this means your DPO can’t be a director or senior manager, as the remit of their role is to develop the organisation, rather than represent and act on behalf of your data subjects. Nor can they be anyone junior, as they must ‘report to the highest level of management’
By doing so, you’ll have someone on board who understands the requirements, has appropriate knowledge of the regulations, has experience of implementing practical solutions and has access to the necessary tried and tested documentation to deliver compliance quickly and effectively.
Qualified DPOs provide proactive advice, they can write your policies and provide training for you and your team. They are also responsible for responding to data processing enquiries from regulators such as the ICO, your staff and the Data Subjects you store personal data on.
If you outsource your DPO role, they are likely to be appointed in part-time capacity. Therefore you are going to require access to a reliable data protection advice line for the times when your DPO is not dedicated to you. When you’re looking to maintain your compliance and be able to react to issues as they arise and respond in a timely manner to requests from regulators and your Data Subjects, then an advice line is going to be an invaluable resource for your organisation.
If you are still unclear and are asking yourself “Do I need a Data Protection Officer” or you are unsure of your next steps, please feel free to contact us so we can help you make the most appropriate decision for your business.
You can find more of our GDPR and Data Protection related articles via this link.