Amid all the concerns over the ways that the EU General Data Protection Regulation (GDPR) changes consent requirements and the misinformation spread about it, organisations need to make sure they don’t overlook a fundamental part of the compliance process: appointing a data protection officer (DPO).
Not all organisations are legally required to appoint one, but many experts – including the Article 29 Working Party (WP29) – recommend doing so as a matter of good practice. So, why is it important?
1. It might be a legal requirement
There’s nothing like the threat of disciplinary action to get an organisation to take data protection seriously. The Regulation says that all public authorities and companies that carry out either large-scale systematic monitoring of individuals or large-scale processing of special categories of data need to appoint a DPO.
This means that some very small organisations, such as schools and parish councils, will need to meet this requirement. However, this isn’t necessarily as onerous as it sounds. The position can be filled by an existing member of staff, provided they have an expert knowledge of data protection law and their professional duties are compatible with the DPO. Additionally, the position can be filled by an external contractor, who may represent several organisations.
Organisations that only collect personal data for HR purposes don’t need to appoint a DPO.
2. The DPO oversees many of the GDPR’s compliance requirements
Hiring a DPO is not only a compliance requirement itself but it will also help you meet many of the GDPR’s other requirements. The DPO Centre writes:
“DPOs will help to guide your business through a complex new approach to privacy regulation, involving disciplines ranging from human resources, legal, corporate structure and business planning, through to website content and structure, database design, IT infrastructure and cybersecurity.
“In order to be able to protect your interests in the event of a breach, they must also operate without any conflict of interest within your organisation, making them in one sense a ‘regulator’ working on behalf of the interests of data subjects, more so than the interests of your organisation.”
3. They will help your organisation respond to data breaches
Among the requirements that DPOs will help organisations comply with is data breach notification. Under the GDPR, any breach that results in a risk to the rights and freedoms of individuals needs to be reported within 72 hours of discovery.
Organisations probably won’t have all the facts by that time, but they need to provide the most important details. This will typically include the potential scope and nature of the breach (i.e. the types and format of information lost), and the actions it plans to take to respond to and mitigate the problem.
Having a DPO to manage breach reporting will help organisations meet the tight timeframe for reporting incidents. They will put in place a plan for breach notifications, keep it updated to take into account any changes to your business operations and manage the reporting process in the event of a breach.
Learn more about the GDPR
There are only a few months until the Regulation takes effect, so if you’re not already preparing for the change, you need to act now.
If you’re looking for a comprehensive overview of the Regulation, a good place to start is EU GDPR – A Pocket Guide. Written by Alan Calder, IT Governance’s founder and executive chairman, this guide describes the terms and definitions used in the Regulation in simple terms, outlines the key requirements that organisations need to meet and provides advice on achieving and maintaining compliance.
It also provides more information on DPOs, including a detailed description of their tasks and which organisations need to appoint one.