Written by Rob Young, Director – 20th December 2017
On the 25th of May 2018, the GDPR comes in to force, drastically changing the way businesses in the UK and Europe manage and store their private data. The GDPR has been a much talked about topic throughout businesses this year; mainly due to concerns over the harsh penalties if found to be non-compliant. There has also been a lot of confusion over what it takes to be GDPR compliant.
In this blog, we’re going to explore another regulation under the GDPR that we’ve frequently been asked about. Article 37 states that many businesses throughout the UK will be required to have a designated Data Protection Officer (DPO). In this blog, we will explore what a DPO is, what their role is and what businesses need to do in preparation.
What is a Data Protection Officer?
A Data Protection Officer (DPO) plays a vital role within the business, ensuring all staff and management adhere to the businesses data protection obligations in regards to the control and processing methods of business/customer data. More importantly, they oversee the data protection strategy for the entire business to ensure the business is compliant with the GDPR and other related regulations such as ISO 27001
What are the common duties of a Data Protection Officer?
- To inform and advise the business and its employees about data protection
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments and training staff.
- Conduct internal audits relating to data protection processes.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
- To maintain records of how the data is stored and processed, why this data is obtained and what the business uses it for.
- Ensuring all business data is stored in a secure environment but also accessible at any time upon request from a customer.
Can you allocate a Data Protection Officer role to an existing employee?
Yes, you’re able to allocate this role to an existing employee within the business and assign this role as an additional responsibility, similar to a Health and Safety Officer. Only large businesses will need a fully dedicated person as a Data Protection Officer.
Who is best suited to a Data Protection Officer?
If your business is ISO 27001 compliant it would make sense to assign the Data Protection Officer responsibility to the Information Security Officer who will be familiar with the current data laws and regulations.
If your business is now ISO 27001 compliant, then the IT Manager (or similar) would likely be best suited as they should be familiar with national and European data protection laws.
Does my business need a Data Protection Officer?
Whilst there is no mandatory requirement for a Data Protection Officer Role in smaller businesses there are three types of companies who must appoint a DPO.
- A public authority (except for courts)
- Business carrying out large scale systematic monitoring of individuals (for example, online behaviour tracking)
- Business carrying out large scale processing of special categories of data or data relating to criminal convictions and offences
However, it is recommended that businesses that obtain lots of personal data such as people’s ethnicity, address’, phone numbers, bank account information etc should also assume that they should appoint a Data Protection Officer.
When should we start thinking about assigning a DPO?
One study carried out by The International Association of Privacy Professionals predicts that 28,000 Data Protection Officer’s will be required in Europe under the GDPR.
We would recommend looking in to whether you require a Data Protection Officers as soon as possible. Whilst we cannot carry out this role on your behalf, our IT Security Consultants can be appointed to undertake a risk register, and third party data register as well as auditing your entire system highlighting any data security risks that your Data Protection Officer needs to be made aware of and manage going forward.
If you have any questions or concerns regarding the GDPR or the Data Protection Officer role then please feel free to get in touch, download our GDPR Consultancy Brochure and speak to one of our certified GDPR consultants who will be happy to help you.
If you have found this blog useful you may want to look at our other GDPR related articles, ‘7 steps to kick start GDPR Compliance’, ‘GDPR – What are the penalties for non-compliance’, The GDPR – What it means for UK businesses, New EU General Data Protection Regulation (GDPR)