- May 12, 2018
- Data Protection Officer
Here’s the big belief many people have – GDPR is just another set of regulations that won’t be enforced. The truth is if you aren’t keeping up to date with these changes, it could cost you more than you think. So if one of the questions you’re asking yourself is “do I need a Data Protection Officer” just know that designating a DPO could save you many GDPR headaches which you’ll discover in this post.
Here are the three specific circumstances where the GDPR requires you to designate a DPO, as indicated in Article 37:
- Where processing is carried out by a public authority or body; I.e. Organisations required to respond to Freedom of Information act requests.
- Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale, such as CCTV systems, dashcams and website cookies; or
- Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to race and religion, health records and criminal convictions and offences.
What constitutes ‘Large scale’ has yet to be defined. It is likely that only case law will do so over time. However, it is as much about the categories and sensitivity of the data you process, as much as it is about the number of records. The more sensitive the nature of the data processed, the lesser the number of records you process will need to be.
You can appoint your DPO from within your organisation, however the Regulation requires that (amongst other things) they must have ‘expert knowledge of data protection law’ and the responsibilities of their role must not conflict with the duties required by the role of a DPO. There’s more guidance on appointing a DPO on the ICO’s website.
Generally, this means your DPO can’t be a director or senior manager, as the remit of their role is to develop the organisation, rather than represent and act on behalf of your data subjects. Nor can they be anyone junior, as they must ‘report to the highest level of management’
The alternative therefore, if you’re still asking yourself “Do I need a Data Protection Officer”, is to outsource your DPO.
By doing so, you’ll have someone on board who understands the requirements, has appropriate knowledge of the regulations, has experience of implementing practical solutions and has access to the necessary tried and tested documentation to deliver compliance quickly and effectively.
Qualified DPOs provide proactive advice, they can write your policies and provide training for you and your team. They are also responsible for responding to data processing enquiries from regulators such as the ICO, your staff and the Data Subjects you store personal data on.
If you outsource your DPO role, they are likely to be appointed in part-time capacity. Therefore you are going to require access to a reliable data protection advice line for the times when your DPO is not dedicated to you. When you’re looking to maintain your compliance and be able to react to issues as they arise and respond in a timely manner to requests from regulators and your Data Subjects, then an advice line is going to be an invaluable resource for your organisation.
If you are still unclear and are asking yourself “Do I need a Data Protection Officer” or you are unsure of your next steps, please feel free to contact us so we can help you make the most appropriate decision for your business.
You can find more of our GDPR and Data Protection related articles via this link.