The General Data Protection Regulation (GDPR) came into force in May 2018, and brought with it a big change as to how businesses approach data protection regulation. For example, the GDPR places much more emphasis on self-regulation and internal accountability. One aspect of this new approach is that certain businesses and organisations are required to designate a data protection officer (DPO).
Although the concept of appointing a DPO isn’t new, the GDPR sets out a number of requirements regarding the role, and details what tasks they must undertake.
When is it mandatory to appoint a DPO?
It is mandatory to appoint a DPO if you are a public authority or body, and/or if your core activities involve:
- Large scale, regular and systematic monitoring of individuals – for example, online behaviour tracking; or
- Large scale processing of special categories of data or data relating to criminal convictions and offences.
It is unlikely that many of you will fall in to the above category, however the ICO strongly recommend that every organisation that processes personal data (be it information about its staff, customers, or third party suppliers) should appoint a DPO.
Appointing a DPO helps organisations stay the right side of GDPR, as a DPO’s main role is to ensure compliance with this set of Regulations so that heavy fines can be avoided.
What if you don’t appoint a DPO?
Aside from the difficulty of juggling both your day job plus the tasks of a DPO, i.e. monitoring compliance and drafting suitable data protection policies, any organisation that decides against appointing a DPO needs to document its reasoning behind its decision.
Any organisation can be investigated by the Information Commissioner’s Office (ICO) which is the data regulatory body, and keeping a record of any justification for not appointing a DPO will be important in the event that your decision is queried, as the ICO strongly recommend all organisations appoint one.
What are my obligations once a DPO is appointed?
As DPO’s play a key role in building data protection in to any organisational culture, from ensuring GDPR principles are implemented in practice, and suitable data records and filing fees are dealt with in the applicable time scale, you as an organisation must provide training, so that DPO’s can stay up to date with regard to data protection developments.
Where can you find suitable training?
Our DPO training is designed specifically for businesses and is expert led by our data protection specialist, giving you everything you need to become compliant.
Jessica Maine has worked extensively within the data protection field and will work side by side with you and your DPO to deliver training. This one to one contact will help your DPO develop their knowledge of GDPR. Jessica will advise, and share helpful and practical tips on how to effectively manage and ensure your organisation’s data compliance.
Jessica has worked with several clients in this area, from start-up businesses to large international organisations.