Before and post the General Data Protection Regulations (GDPR) came into effect this year, the spotlight was on obtaining ‘CONSENT’ to hold and process data. Now the flurry of re-permissioning emails has stopped infiltrating our in-boxes the finer details of how organisations can achieve GDPR compliance have started to gain focus, with the spotlight on the requirements on appointing a Data Protection Officer (DPO).Many organisations have updated their privacy policies and re-permissioned their data but haven’t appointed a Data Protection Officer. The question is, does your organisation require a Data Protection Officer in order to be compliant?
You may not be GDPR compliant if you haven’t appointed a Data Protection Officer in your business.
With all the focus on obtaining consent, did you consider you may need a Data Protection Officer to ensure GDPR compliance?
When should a Data Protection Officer be appointed?
Under Article 37 of the EU GDPR there are three conditions under which a Data Protection Officer must be designated:
– Where the processing is carried out by a public authority or body (except for courts acting in their judicial capacity).
– Where the core activities of the controller or processor involve the processing of regular and systematic monitoring of individuals on a large scale.
– Where the core activities of the controller or processor involve the use, on a large scale, of special categories of data or personal data relating to criminal convictions.
The last condition, special categories of data, is not a new concept and have long been subject to additional safeguards. The special categories are listed in Article 9 of the GDPR and consist of data relating to racial or ethnic information to data concerning a person’s sexual orientation.
What are the responsibilities of a Data Protection Officer?
A general overview of a Data Protection Officer’s role is to “be responsible for all issues which relate to the protection of personal data.”
The DPO’s tasks are defined in Article 39 as:
– to inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws;
– to monitor compliance with the GDPR and other data protection laws, and with your data protection policies, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
– to advise on, and to monitor, data protection impact assessments;
– to cooperate with the supervisory authority; and
– to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
Who should an Organisation appoint as their Data Protection Officer?
Article 37 states that the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks as stated above (Article 39).
This isn’t just a throw-away role that can be assigned to an employee that already has their everyday responsibilities to undertake and consider the organisation compliant. When the role of a Data Protection Officer is not carried out to the highest level of competence then an organisation risks personal legal proceedings.
Article 29 Working Party suggests a Data Protection Officer should have the following skills and experience:
– expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
– understanding of the processing operations carried out;
– understanding of information technologies and data security;
– knowledge of the business sector and the organisation; and
– the ability to promote a data protection culture within the organisation.
Although appointing a Data Protection Officer is necessary it is not always feasible, especially as the cost of an in-house DPO could cost an organisation from £36,000 per annum; an overhead that could cripple a small business or low turnover startup.
At Vox Securitas, we have developed a monthly DPO subscription service, which offers organisations the support and compliance required under the GDPR without adding extra duties to your existing staff to cover.
– Our team will monitor internal compliance by carrying out data flows across your business and advising and offering solutions for any issues these might raise.
– We also inform and advise on policies and procedures, data protection obligations, and provide advice regarding Data Protection Impact Assessments (DPIAs) if needed.
– If you are managing Subject Access Requests and Data Breaches we can take the stress out of this time-consuming process by offering a tailored service to manage this for you.
– Importantly we take on the responsibility as an external independent support, which the ICO recommends, and act as a contact point for your data subjects and we are the contact person for the ICO.
The Vox Securitas DPO Advice Service is available across the week during office hours for everyday support from our DPO team. Urgent advice is available outside of office hours to support concerns such as data breaches.
If you require more information on our Vox DPO service or wish to discuss your GDPR compliance further then please contact firstname.lastname@example.org or complete our contact form
Vox Securitas Data Protection Officer subscription service
Why spend thousands on an in-house Data Protection Officer when you can outsource your requirements to Vox Securitas for a fraction of the price!