Deadline is 25th of MAY 2018. (We can’t stress this point enough!) Some may think that a year is plenty of time to become compliant, well then, they haven’t read it. We have and can guarantee the longer you put this off the more painful it’s going to be.
By that date, a lot of work must be done to avoid the consequences of non-compliance. One of the most important requirements is that organisations must appoint a Data Protection Officer who is the authority at the company who is responsible for overlooking all data processes and making sure they are compliant with the GDPR under certain circumstances.
The requirement to appoint a DPO applies to both controllers and processors and it is mandatory in three situations:
- Where the processing is carried out by a public authority (such as public transport services; water and energy supply; road infrastructure; public service broadcasting; public housing; disciplinary bodies for regulated professions. Exception is courts acting in their judicial capacity
- Where the organisation’s core activities require regular and systematic monitoring of data subjects on a large scale (this include for example the processing of customer data by an insurance company or a bank)
- Where core activities involve large scale processing of sensitive personal data. (for example, processing of patient data by a hospital).
“Do I need to hire a new person to be Data Protection Officer?”. The answer is not necessarily.
You may be asking yourself “Do I need to hire a new person to be DPO?”. The answer is not necessarily. The DPO role can be undertaken by an existing employee, however, you must ensure that other professional duties of this employee are compatible with his/her new duties as DPO and do not result in a conflict of interests. Considering the situations in which it is mandatory to appoint a DPO tend to involve large scale data processing, it is also highly likely that the organisations will be large scale and require a separate DPO position based on the sheer workload such a position will entail.
Considering the responsibilities and the position of the DPO within the organisation it must be said that the legal knowledge of data protection regulations is necessary but that’s not enough on its own.
They must also:
- have information security knowledge and skills
- be able to carry out and interpret audits against compliance requirements
- be able to coordinate and advice on Data Breaches and notification
- be familiar with codes of conduct for the industry sector
- be able facilitate the cyber incident response process
So now that you’ve appointed a DPO, what are they supposed to do?
- Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws.
- Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits.
- Advising about data protection impact assessments when required under Article 35.
- Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data.
- Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.
The regulation indicates that the DPO must have a certain level of independence in order to properly co-ordinate with the supervisory authority and the data subjects, and maintain compliance.
So not only the DPO has a large degree of independence but also:
- The organisations must ensure a proper involvement of the DPO
- The organisations must provide support through necessary resources
- The DPO has access to highest management and the data subject must have clear access to him.
- No conflict of interest in carrying out duties and must be bound by confidentiality
- A clear protected role within the organisations
The DPO is a role of great strategic importance that develops and coordinates an organisation’s privacy strategy and ensures that the privacy considerations are incorporated into business practices.
So, serious thought and consideration needs to be given to the process.
There are tools that help both organisations and the DPOs to manage and accomplish a high level of compliance with the GDPR such as CyReg ™ GDPR.