Understandably, organisations are feeling a growing sense of unease about forthcoming General Data Protection Regulation (GDPR). It introduces a number of important changes to the current Data Protection Directive (DPD), such as increased territorial scope, stricter consent laws, hefty fines, breach notifications, enhanced data subject rights and specific design requirements that focus on data privacy. Additionally, many organisations will be required to appoint a Data Protection Officer (DPO) to oversee all matters relating to data protection. It has been estimated that 28,000 Data Protection Officers (DPOs) will need to be appointed by 2018 in the European Union alone. As GDPR will be applicable to organizations that deal with the data of EU citizens, regardless of whether they themselves are in the EU, the requirements for DPOs will greatly increase. In this article, I will provide a summary of the most frequently asked questions surrounding Data Protection Officers.
Whom should I appoint as a DPO and will my organisation be required to appoint a DPO?
A DPO can be an existing member of staff, a newly appointed member of staff, or a third-party service provider. You will need to appoint a DPO if your organisation is:
- a public authority that processes personal data
- an organisation whose “core activities” involve processing personal data that belongs to EU citizens on a large scale
- an organisation that processes specific categories of data such as data relating to a subject’s health, religion, ethnicity, criminal convictions, sexual preferences, political opinions, etc.
- Organisation with multiple divisions will be allowed to appoint a single DPO on the provision that they are easily accessible to all subsidiaries.
Will organisations who reside outside of the EU still need to appoint a DPO?
An organisation that is not in the European Union will still be required to appoint a DPO if the organisation is:
- processing personal data that belongs to EU citizens
- providing goods and services to EU citizens
- monitoring the behaviour of EU citizens
It’s worth noting that while the GDPR has “increased territorial scope”, it is still up to the individual countries to enforce the law.
What does a DPO actually do?
There are a number of key tasks that a DPO should carry out as a part of their daily routine. These tasks include:
- Ensuring that both the organisation and employees are aware of their obligation to comply with the GDPR
- Managing internal data protection activities, raising awareness, education staff members and conducting audits
- Offering information and advice about data protection impact assessments (DPAs)
- Serving as a point of contact for all issues relating to data protection
- Responding to all enquiries that relate to data protection (i.e. subject access requests, concerns about processing, etc.)
Are DPOs required to have specialised skills and/or qualifications?
The GDPR does not specify exactly what skills and/or qualifications a DPO must have, however, they are expected to have “expert knowledge of data protection law and practices.” DPOs are required to work independently to ensure that conflicting interests do not affect their work. Likewise, they are bound to secrecy on confidential matters. It’s worth noting that, under the GDPR, DPOs who are legitimately performing their duties are granted a certain impunity in the event that their actions have a negative impact on the company in some way.
What would happen if we chose not to comply with the GDPR?
Non-compliance with the GDPR can lead to fines of up to €20m, or 4% of annual worldwide turnover – whichever is greater.
How can Lepide help DPOs satisfy regulatory requirements?
Since DPOs are responsible for carrying out regular audits, maintaining records of all processing activities and delivering detailed reports to the Supervisory Authorities, they would greatly benefit from using a real-time event detection and reporting solution such as LepideAuditor. LepideAuditor translates log data into a meaningful format, which is then presented via an intuitive console. This makes it a lot easier for DPOs to answer the critical questions pertaining to ‘who, what, where and when’ changes are made. Additionally, LepideAuditor provides real-time threshold alerting and is capable of generating over 270 pre-set reports, which can be used to effortlessly satisfy compliance requirements.