GDPR Blog Week 4: Responsibility and the DPO
Whether you need to make a mandatory appointment of a Data Protection Officer (DPO) or simply appoint someone within your organisation to take responsibility of this role, it’s important that you start planning for GDPR now.
There is, in fact, very little difference in the remit of a voluntarily appointed DPO or a mandatory one and notably, voluntarily appointed DPO’s will also need to comply with the requirements of the GDPR.
A mandatory DPO role is needed for the following organisations:-
- a public authority; or
- one carrying out regular and systemic monitoring of individuals on a large scale; or
- one carrying out large scale processing of special categories of data, such as health records or information about criminal convictions.
Whilst the term “large scale” isn’t defined, guidance suggests that it affects a large number of data subjects on a regional, national or international level. The number of data subjects concerned, either as a specific number or as a proportion of the population or the geographical extent of the processing activity would be relevant considerations in determining this.
In terms of governance, a DPO must be independent and report directly to the highest management level of an organisation. This is to secure buy-in at executive level to ensure the required resources and budgets are available to comply with the legislation.
A DPO’s contact details must be provided to the supervisory authority (in this country that authority is the Information Commissioners Office, or ICO) and the position requires that they have expert knowledge of data protection legislation and practices, although with SME’s this is sometimes a compliance officer who takes on a developmental “knowledge through experience” data protection role.
The role of a DPO is to inform and advise the controller or processor and employees processing personal data of their legal obligations and to monitor the compliance of the GDPR’s through regular training and audits. They must cooperate with, and be a contact point for, the ICO and must provide advice in relation to Data Protection Impact Assessments (DPIA).
A DPO will drive momentum on internal reviews of current policies and procedures to ensure that they are GDPR compliant and that they are adequately documented. They should be the primary contact point for notification of a data breach.
I’ll discuss data breaches and security measures in a separate blog, but please don’t hesitate to contact me, Louise Weatherhead at Louise.firstname.lastname@example.org or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.
We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready. Next week, our topic will be Direct Marketing. We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.