Under the General Data Protection Regulation (GDPR) which comes into effect in May 2018, many organisations will have to appoint a Data Protection Officer (DPO) to ensure that they are compliant with the law.
The DPO will become one of the most important people in your organisation and could help your company avoid astronomical fines (up to €20m) as well as costly litigation from data subjects – here are 10 things you need to know about the role:
1. The public should have clear paths to contact and communicate with the DPO. They must have an easy way to ask questions they may have about their information, how it is protected, stored and used etc.
2. The DPO is responsible for how data is handled within an organisation – it is a 'buck stops here' role
3. The importance of the DPO cannot be understated – the GDPR states that the DPO must report directly to the CEO of the organisation, or the highest ranking person in the organisation – this is not a middle-management position
4. In earlier drafts of the GDPR there were guidelines for the size of an organisation that would require a DPO – one recommendation was that organisations would have to have 250 people of more before appointing a DPO, but this was removed in the final draft.
5. If you are a public sector body, or a private sector body that does business on behalf of a public sector body or with a public sector body, then you need a Data Protection Officer
6. If you process large amounts of data, or are engaged in large scale monitoring of individuals (like any of the big internet companies) then you need a DPO.
7. If you are a small organisation, but you process large amounts of data, then you need a DPO.
8. You may appoint a third party to be your DPO i.e. a service provider
9. If you are part of a larger group of companies, it is possible to have one Data Protection Officer for the group, provided that individuals get sufficient band-with and time with the DPO.
10. For larger companies that deal with high volumes of data, no one person would be able to handle the volume of requests from data subjects in a timely fashion – in this case the Data Protection Officer will be heading up the 'Office of the Data Protection Officer' within that organisation.