GDPR & The Role of the Data Protection Officer

First published December 2016
On May 25 2018, the new General Data Protection Regulation (GDPR) officially became EU Regulation 2016/679, heralding a new era of data protection across the European Union, leading to varied ramifications for companies around the world.

Although employers and organisations won’t need to abide by the new requirements until May 25, 2018 – when the full law takes effect – there are only two years left to prepare, budget and act on the new procedures that must be put in place.

One of the core changes that many businesses will need to make is the appointment of a Data Protection Officer (DPO) and it may take some time to come to terms with the new roles and responsibilities of this position.

What is a Data Protection Officer?

A Data Protection Officer is typically the person who is in charge of ensuring a business and its operations are compliant with any laws and regulations relating to data protection. In the case of the GDPR, Article 39 details the specific tasks of the DPO, after describing their important legal responsibilities. It also explains how DPOs will have special protected status under the law.

In short, the Data Protection Officer is an extremely important position under the new EU regulations and so businesses should pay serious attention to:

1. Whether they are legally required to appoint a DPO
2. If they are, who they will hire for that role

A DPO is the key to understanding the new regulations and helping ensure an organisation does not break the law. They will provide guidance and practical advice, explain necessary processes, and put safeguards in place to prevent companies falling foul of the GDPR.

Therefore, it is vital that businesses recognise the requirements of a Data Protection Officer now and understand the valuable role they will need to play. If they don’t, they could be subject to heavy fines for violation of DPO provisions, up to:

• €10,000,000
• Or 2% of total global revenue (whichever is higher)

Identifying requirements for a Data Protection Officer

The first step to take to determine if your organisation requires a DPO is to assess whether the GDPR applies to you. If you operate in a member state of the EU, or you do business with any citizens of the EU, you will be subject to the new regulations. Despite Brexit, Britain continues to remain an EU Member State until further notice.

Secondly, you’ll need to check whether the GDPR specifically requires you to appoint a Data Protection Officer. Article 37 details three specific cases where an organisation must recruit, hire and give responsibilities to a DPO if:

1. They’re a public authority or body processing data (e.g. a hospital)
2. The core part of the business is the control and processing of data, and they do this on a large scale, with ‘regular and systematic monitoring of data subjects’
3. They process large amounts of the special categories of personal data, as defined by the GDPR.

Although the official law does not define what ‘large scale’ means, other authorities have deemed this to be the processing of data from over 5000 individuals, within a 12-month period.

Designating a DPO

If your organisation does fall into one of the above categories, you’ll need to appoint a DPO.

It might be that you already have one, as many businesses in the UK have been required to have a designated Data Protection Officer for some years, under the 1998 Data Protection Act. Similarly, other member states of the EU – including Germany, Poland, Hungary, Russia, Belgium and Slovakia – already require companies to have official DPOs. The new legislation simply brings uniformity to Europe.

Helpfully, Article 37 in the GDPR lays out who you can, and should, appoint to become your data protection officer:

• They can be a current member of staff – though they need to be allowed to work independently, and shouldn’t have other duties that clash with their role as a DPO
• Or, they can be externally recruited and appointed on a service contract
• A single DPO can be appointed for a company group or sister organisations (but they will likely need a team to support them)
• They must be appointed based on their professional qualities, in particular, their ‘expert knowledge of data protection law and practices’

The level of knowledge required for your Data Protection Officer will depend on your individual organisational structure (including the size, number of controllers & processors, and technical nature), the type of data you process and its sensitivity, and the kind of security you’ll need to have in place.

Key tasks of the Data Protection Officer

Essentially, the DPO will hold responsibility for all things relating to data protection. Their role covers everything from providing information and advice, to monitoring compliance and being the first point of contact for authorities.

Article 39 of the General Data Protection Regulations details the minimum tasks that a DPO should carry out. It’s important to note that these are only the MINIMUM requirements and responsibilities and that the DPO’s duties could vary dramatically depending on your organisation’s needs and size.

As stipulated, the DPO’s tasks will be to:

• “Inform and advise the controller or the processor and the employees about data protection provisions
• Monitor compliance with the General Data Protection Regulation, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
• Provide advice where requested on data protection impact assessments
• Cooperate with the supervisory authority
• Act as the first contact point for the supervisory authority and individuals whose data has been processed”

The primary job of the Data Protection Officer is to work with everyone in an organisation to ensure that the company is fully compliant with all GDPR legislation.

In practice, this means:

Guidelines, policies and procedures

The DPO will be responsible for providing guidelines on the GDPR and best practice for compliance throughout the organisation, from employees on the front line right up to the Board of Governors. They will need to check existing policies and procedures, and likely adapt or design new ones that adhere to the new data protection regulations. Responsibility will fall on them for a procedure to correctly deal with subject access requests made by individuals.

Staff training (new and existing)

Training is a key part of the DPO’s role. They will need to raise awareness amongst every member of staff, through group workshops, one-to-one sessions and formal in-house training. As well as existing employees, DPOs should put procedures into place to effectively train any new recruits on data protection requirements. They’ll be responsible for raising awareness on all new developments and updates too.

Department liaisons

The DPO should act in an advisory role at all times, liaising with every department in the organisation to ensure compliance is followed at each stage of processing. This includes working with Sales & Marketing on data capture, and the IT department on security and data handling.

Regular audits and reviews

In order to fulfil the task of monitoring compliance, the DPO will need to conduct regular audits and reviews of all processes in the business, and oversee the implementation of necessary changes. They will be regularly checking the activities of data controllers and processors and need to offer their expert advice on Privacy Impact Assessments (PIAs). In general, if there is anything relating to data protection in an organisation, the advice of the DPO should always be sought.

Employers’ duties to the DPO

Whilst the Data Protection Officer has a wealth of responsibilities, employers also have some legal duties to the DPO.

Under the GDPR, an employer should support their DPO at all times, with the responsibility to ‘provide resources necessary to carry out those tasks, and to maintain his or her expert knowledge.’ That could mean the provision of facilities, staff and a training budget. Employers all need to put an adequate chain of communication in place to allow a DPO to report back directly to the highest level in the organisation – i.e. the board of directors. And finally, employers need to ensure that DPO’s have the freedom and independence to do their job. They must not be hindered in their tasks, and cannot be dismissed or penalised for performing their duties.

Preparing for the new regulations

It’s clear that the GDPR brings with it a mountain of tasks and requirements for any business. A Data Protection Officer can take some of those responsibilities away – and provide protection and safeguards for your company – but recruiting one and giving them the resources to do their job effectively is a mammoth job itself.

Now is the time to designate budget and responsibility. If you haven’t needed a Data Protection Officer before, this could be heavy burden. Regardless of if you need a DPO under the GDPR or not, you’ll still need to make sure employees have the necessary skills and knowledge to comply with regulations and stay on the right side of the law. Training and awareness is an integral part of this process, for all involved.

Are you looking for more valuable insights?