It’s almost May 25th, and if you’re like a lot of other companies around the world, you’re doing everything you can to get your GDPR ducks in a row. As a refresher, GDPR is the new privacy protection act taking effect in the EU that puts data security in the hands of the consumer. So, if you do business in the EU or with residents of the EU, GDPR will directly impact the way you do business. One of the most important (and mandatory) elements of GDPR is the implementation of a Data Protection Officer. If you’re concerned with whether or not you need one, we’ve created a list of questions about Data Protection Officers as outlined in the official GDPR brief shining some light on who exactly this data superhero is.
What is a Data Protection Officer (DPO)?
Good question. A DPO is a security leadership role that oversees data protection strategy and implementation to ensure compliance under law – in this case, the law is GDPR.
Do I need a DPO?
If you sell to people in the EU or with member states of the European Economic Area (EEA), then you may likely have a need for one. According to this study at least 28,000 businesses will be required to hire, appoint, or contract a DPO in Europe alone. That’s a lot of data. Article 37 of the official brief states that a DPO should be appointed by these types of businesses or organizations:
- A public authority or body that collects and processes data
- A business whose core activities consist of processing data on a large scale
- A business or organization that collects data which fall under ‘special categories’, i.e. a business that collects information on race, ethnicity, or religion.
What is a DPO responsible for?
According to the official brief, a Data Protection Officer should have “expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.” The tasks, as listed in Article 39, include:
- Educating the company and its employees on important data compliance requirements.
- Tracking & monitoring compliance within the organization according to GDPR standards.
- Providing training and raising awareness of staff involved in data collection.
- Providing advice on impact and impact assessment of data collection.
- Acting as the main point of contact on any concerns of collection, processing, and storage of data.
- Assessing scope and risk of data collection on a case by case basis.
While these are the responsibilities outlined under GDPR, it is possible your organization may find that your DPO may need to take on more responsibility to carry out their job.
Are there any DPO best practices?
While the primary purpose of the Data Protection Officer is to protect data, there is a series of information outlined in Article 38 that gives more insight. This information not only discusses the role of the DPO, but also writes out how they should be integrated. The brief outlines that the DPO will:
- Be involved in all things data protection;
- Be supplied any resources & materials needed to carry out their work;
- Not receive any instructions on how to carry out their tasks;
- Not be dismissed for performing their job (i.e. notifying outside authorities about non-compliance);
- Directly report to the highest levels of management;
- Serve as the main point of contact to data subjects (consumers);
- Be bound by secrecy concerning the importance of their tasks;
- Be able to fulfill other tasks outside of data protection so long as they are not conflicts of interest.
Who can become a DPO?
As specified under Article 37.6, “The data protection officer may be a staff member of the [data] controller or processor, or fulfil the tasks on the basis of a service contract.”
This means organizations have the right to appoint in-house employees or 3rd parties to help with GDPR data compliance. Since privacy and data protection are of the utmost importance under GDPR, the appointed DPO should not only have expert level knowledge of GDPR principles, but the capability to implement strategies and protocols on behalf of your organization to ensure no data breaches or violations occur.
While you figure out if your company needs its own Data Protection Officer, you can also rest knowing you don’t necessarily need to start hiring just yet. The official GDPR brief does state that a DPO may be an existing employee, so long as they can be trusted as an expert in data protection law. So, if you have someone in mind, now would be the right time to sit down and discuss the next move with them. If you don’t have someone in mind, hiring or contracting a Data Protection Officer for your business could be the next (and probably best) move.