As of May 2018, the General Data Protection Regulation (GPDR) will come into effect, which sets out to harmonise and strengthen data protection for individuals within the European Union. Under this new directive, appointing a DPO (Data Protection Officer) is a mandatory requirement for companies and organisations who either employ more than 250 people or require the storing and processing of public data. It’s is important to note that, the rules apply to any organisation that processes personal information belonging to EU citizens. It doesn’t even matter where your organisation’s data is physically located.
So, do you really need a DPO?
The chances are, Yes! And if you fail to comply with the GDPR you could be faced with a heavy penalty.
So now the real question becomes; how do you employ a DPO?
You can either appoint an in-house DPO or employ one on a contract basis. The DPO will be involved in all areas of data protection. They will be required to implement data protection policies, monitor all processing operations and ensure that all staff are trained to level where they can operate in compliance with the EU’s data protection regulations. A DPO is expected to remain in their position for at least two years, and can only be dismissed if they are unable to adequately fulfil their role. While there are certified training courses available, DPOs are not necessarily required to have formal qualifications. However, they must have professional experience and a profound understanding of the EU’s data protection regulations. Additionally, it’s imperative that they possess good communication skills and are able to respond to enquiries in a timely manner. Since a DPO’s role is to monitor and remedy any potential data breaches, as opposed to protecting the company’s financial interests, it is important that they work independently and are willing to speak up when necessary.
DPO’s must consult the European Data Protection Supervisor (EDPS) prior to processing information in a way that might compromise the data privacy rights of their subjects. And who are the EDPS? The EDPS is an independent governing body whose role is to ensure that companies and organisations within the EU are respecting people’s privacy when storing and processing personal data. The EDPS are independent from the DPOs but often liaise and discuss issues of common interest.