Appointing a DPO in the wake of GDPR

Come 25th May 2018, GDPR – new legislation in data governance and compliance – will replace the Data Protection Act (DPA) 1998. This change brings about new rules and regulations which raises questions around who should be the DPO and when should a DPO be appointed.

The DPO appointment in a business is mandatory and will ensure full compliance around GDPR. A DPO will report directly to the Board to determine the purposes of processing the personal data of a data subject (the natural person to whom the data relates). The objective is to protect against infringement of rights to EU individuals.

In order to fulfil the tasks and duties under Article 39 GDPR, it is acceptable for the DPO to be a permanent member of staff, a Consultant employed on a contract basis or Virtual DPO. Tasks performed by the DPO are as follows;

  • Inform and advise the Data Controller or the Data Processor and their employees of their data protection obligations.
  • Monitor regulatory compliance to ensure accurate assignment of responsibilities.
  • Raising regulatory awareness within the Organisation and ensuring relevant training of staff involved.
  • Providing guidance where requested in relation to data protection impact assessments (DPIAs).
  • Engaging with the Information Commissioner’s Office (ICO) or relevant Supervisory Authorities to ensure best practice.
  • Reports to top level management or the Executive Board with full autonomy to carry out their responsibilities.

Data Controllers and Data Processors under GDPR, Article 29 Working Party, suggests a DPO must be appointed under the following circumstances;

  • Data processing is carried out by a public authority. This reflects the Freedom of Information Act (FOIA) 2000 that gives rights to access public information held by public authorities.
  • The core activities of an Organisation require regular and systematic monitoring of data subjects on a large scale. Examples here would relate to processing of consumer data by an Insurance Company or Bank otherwise those exercised for purposes of marketing relating to behavioural consumer trends
  • Where large scale data processing relates to special categories or data to reflect criminal convictions and offences. This includes ethnic origin, political opinions, religious beliefs, health data applied to by polling companies, trade unions and healthcare providers storing patient records.

In conclusion, there has been many debates about who should be the DPO and whether SME’s require a DPO. In short, SME’s do require a DPO to safeguard the Data Controller (legal entity or business) to protect and meet the regulatory compliance under GDPR. Peter Brown, Senior Technology Officer with ICO at the Infosec 2017 Conference quotes;

I’ve heard plenty of people talking about there being a DPO exemption for SMEs this is absolutely not the case.

To discuss your GDPR needs further get in touch with Razak Shariff at Amdas on 020 3488 2027 otherwise email Razak.shariff@amdas.co.uk

Please also visit our GDPR page – amdas/gdpr