Find out what the data protection officer role involves and who or what you need to hire.
The General Data Protection Regulations (GDPR) is something you’ve heard a lot about, whether you collect, store and use customer data, or you don’t. It’s the biggest change to data regulations in the past 20 years and, as a result, there’s a lot of buzz about it.
Although many companies weren’t quite prepared for the GDPR deadline in May 2018, there’s now been a decent amount of time for businesses to start making plans. The way businesses handle data and ensure that they adhere to their new obligations has never been more important.
The UK’s Information Commissioner’s Office has taken a considered approach to enforcing the laws so far. This is quite normal when a significant law change is actioned. However, as the months and years roll on, the ICO is likely to clamp down on businesses failing to comply. Therefore, it is vital you ensure you are covered.
There’s a slight variation depending on the size of your organisation. One that processes a lot of data such as a marketing or research firm, or is considered a “large” business must recruit a data protection officer (DPO) to overlook the data collection, storage and processing to make sure it’s in line with the GDPR. Their role is to make sure any information relating to customers, partners, employees or anyone else is collected and stored with the subject’s best interests at heart.
Although the UK has now left the EU, the area in which the GDPR regulations apply, that doesn’t mean the obligation for businesses to comply with EU law will change.
In fact, if your business wants to keep on communication with European citizens, there must be solid evidence that the company is still sitting within the scope of the GDPR. It doesn’t matter if your organisation’s head office is in the UK, Asia, Europe or the US, if you want to communicate with those in the EEA/EU/UK, you must follow the guidelines.
Data protection officer – a job description
The DPO is responsible for the business’ compliance posture in relation to GDPR. They are tasked with monitoring all data processing activities on an ongoing basis, and ensuring any necessary changes are made to bring operations in line with the regulations. This can include advising on changes to the organisation’s data collection practises, as well as overseeing the creation of privacy policies and other documentation.
Within the corporate structure, DPO’s must report directly to the board of directors, However, if they have other responsibilities in addition to their role as DPO, these should not create any conflicts of interest.
The DPO acts as the company’s primary point of contact with the ICO on any matters relating to data protection or data privacy. They will liaise directly with the regulator on any investigations. If a data breach occurs within a company, and that breach is likely to adversely affect the data subject’s rights and freedoms, the DPO is responsible for alerting the ICO within the GDPR-mandated 72-hour time period.
They also act as the primary liaison for any employees who may have questions about the company’s data processing policies, as well as customers or members of the public. They are responsible for acting on any subject access requests (SARs) or rectification or deletion requests that the business may receive.
Training and awareness is another element of the role, and DPOs should conduct regular training sessions and audits to ensure that staff are fully cognizant of the organisation’s guidelines and legal responsibilities around the handling of data.
Do you need a data protection officer?
If you’re wondering whether you need to make the extra investment in a data protection officer, the answer is (unfortunately for you), probably yes.
The GDPR regulations stipulate that all organisations need to appoint a DPO if their core activities cover data processing of any type, particularly those that include “regular and systematic monitoring of data subjects on a large scale.”
Additionally, any organisations that collect and process information, specifically concerned with ethnicities, religious beliefs, trade union memberships, genetic data, biometrics, sexual orientation and criminal offences and convictions must appoint one too.
But, if you work in a public sector organisation, you may find that you are able to share a DPO with other bodies rather than having to appoint your own, which may lighten the load somewhat.
Data protection officer qualifications
Your data protection officer can be appointed from within the company, or they can be a fresh hire from outside your company. You can also bring in a third-party specialist company as an outsourced DPO.
Of course, he or she does need to be qualified to hold the position. The legislation gives organisations a free hand in deeming what qualifications are requisite for the role, however, simply stating that:
“The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
Therefore, the DPO should be well-versed in data protection law and how to comply with these rules, which is why specialist data protection specialist practices, such as us are being hired.
If you want to know more about our DPO services, please contact us here.