Due to the incoming GDPR, many people from all departments are finding the need to familiarize themselves with new or updated concepts of how they are going to have to handle and store sensitive data. In many ways this is a great thing, ensuring that even those without any speciality for data protection within the organization have at least a rudimentary understanding of the importance of giving users more control over the way their data is processed.
There are numerous aspects of the GDPR that are repeated in many articles, including the “scary” implications of non-compliance that vendors so often love to shout about. One such repeated aspect is that organizations will need to appoint a Data Protection Officer (DPO). A closer look at the ICO’s guide to the GDPR shed’s some light on whether this is really the case, but it is not exactly an interesting read…
Below, we have outlined a few common questions that we are often asked regarding DPOs in an attempt to simplify this area of the GDPR.
Do you Need a DPO?
Whether you are a controller or a processor, there are three general rules that indicate whether you need to appoint a DPO. You will need to appoint one if:
Figure 1: Three scenarios in which you would need a DPO
Now, some of the terminology here can seem a little vague (“core activities” and “public authority” being the two main culprits). So, let’s define these two phrases briefly before continuing:
- Core activities: the main activities your business performs on a day-to-day basis. Best way to think about it is, if you need to process sensitive personal data in order to achieve key business goals, then it’s a core activity. Internal activities (related to HR and payroll, for example) would not be considered core activities.
- Public authority: This is, as yet, undefined by the GDPR. “Public authority” will be defined in the Data Protection Bill which, at the time of writing, is at the report stage in the house of commons. Indications are that it will be the same definition of “public authority” that is listed under the Freedom of Information Act 2000, which can be found here.
This doesn’t mean that you don’t require a DPO if you don’t meet any of the above criteria. Even if none of the above applies to you, it might still be wise to appoint a volunteer DPO to help you keep track of the GDPR requirements. However, bear in mind that if you do decide to voluntarily appoint a DPO then that person will still be beholden to the same requirements as a mandatory one. In other words, just because you’re a volunteer doesn’t excuse giving the role less thought or time.
If you decide not to appoint a DPO, you still need to ensure you have the inhouse resources and knowledge to meet GDPR mandates (in these areas, a DPO might come in useful for guidance). It’s also a good idea to record that you considered a DPO and decided one wasn’t required, so that you are able to demonstrate compliance with the accountability principle.
What Experience Should Your DPO Have?
In short, expertise in GDPR would probably be the one and only requirement. No particular experience or training is required as far as the GDPR is concerned, but it makes sense to ensure that any DPO you hire has both of these things. Ultimately, this person will be responsible for ensuring that your organization is compliant, and this is no easy or small task. This requires an in-depth knowledge of the articles and sections of the GDPR, as well as knowledge of all business departments it will affect, and the ability to communicate this both internally and in the public eye. No small task…
What Will the DPO Be Responsible For?
If you’re unsure what the day-to-day activities will be for a DPO, you are not alone. The GDPR is actually a bit vague on this. However, having spoken to numerous GDPR experts we can confidently state the DPO should have the following responsibilities:
- Educating employees on the importance of the GPDR, how it applies to them and how to stay compliant. This may include regular training or advice.
- Continually monitoring and producing reports on the organization’s efforts to stay compliant. Including documenting any changes that may be related to GDPR.
- Communicating directly with top-level management internally and also with the ICO (or the appropriate governing body)
Whether or not you are required to appoint a DPO, you should consider speaking with experts in GDPR to see how you need to prepare. There are numerous aspects of a DPO’s responsibilities that can be automated by implementing a GDPR solution. LepideAuditor, for example, allows you to automatically generate reports that have been pre-set to meet specific chapters and articles of the mandate in order to save both time and effort.
However you decide to proceed with GPDR solutions and DPOs, ensure you do it sooner rather than later!