Whether you need to make a mandatory appointment of a Data Protection Officer (DPO) or simply appoint someone within your organisation to take responsibility of this role, it’s important that you start planning for GDPR now.
There is, in fact, very little difference in the remit of a voluntarily appointed DPO or a mandatory one and notably, voluntarily appointed DPOs will also need to comply with the requirements of the GDPR.
A mandatory DPO role is needed for the following organisations:- a public authority one carrying out regular and systemic monitoring of individuals on a large scale one carrying out large-scale processing of special categories of data, such as health records or information about criminal convictions.
While the term ‘large-scale’ isn’t defined, guidance suggests that it affects a large number of data subjects on a regional, national or international level. The number of data subjects concerned, either as a specific number or as a proportion of the population or the geographical extent of the processing activity, would be relevant considerations in determining this.
In terms of governance, a DPO must be independent and report directly to the highest management level of an organisation. This is to secure buy-in at executive level to ensure the required resources and budgets are available to comply with the legislation.
A DPO’s contact details must be provided to the supervisory authority (in this country that authority is the Information
Commissioner’s Office, or ICO) and the position requires that they have expert knowledge of data protection legislation and practices, although with SMEs this is sometimes a compliance officer who takes on a developmental ‘knowledge through experience’ data protection role.
The role of a DPO is to inform and advise the controller or processor and employees processing personal data of their legal obligations and to monitor the compliance of the GDPR through regular training and audits. They must co-operate with, and be a contact point for, the ICO and must provide advice in relation to Data Protection Impact Assessments (DPIA).
A DPO will drive momentum on internal reviews of current policies and procedures to ensure that they are GDPR compliant and that they are adequately documented. They should be the primary contact point for notification of a data breach.
Louise Weatherhead is a solicitor at Newcastle law firm Sintons and a specialist in advising on GDPR. To speak to Louise, contact her on email@example.com or 0191 226 3699