The GDPR provisions to appoint a Data Protection Officer (DPO) will apply to your organisation if the personal data you process involves the regular and systematic monitoring of individuals on a large scale; or includes special categories of data on a large scale and data relating to criminal convictions and offences.
What does a DPO do?
Article 39(4) sets out the (at least the following) tasks for a DPO:
1.(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
- The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
What does a Data Protection Officer look like?
Whilst the GDPR does not identify the precise credentials DPOs must carry, it does however require that they have “expert knowledge of data protection law and practices.”
It is worth noting that a DPO may be either an employee of the organisation or provided by some external to the organisation.
How do I appoint one?
You can choose to appoint an existing member of staff to cover this role but you must ensure that they have the relevant skills, experience and that it does not conflict with any of their other duties.
DPOs usually come from one of three distinct backgrounds:
- Records Management (data protection / privacy / FOI)
- IT/cyber security
- Qualified lawyer
The option that is most suitable to your organisation depends entirely on your circumstances and how you see this role working. However, due consideration must be given to the GDPR requirement of having “expert knowledge of data protection law and practices.” Failing to see beyond just technical cyber security or legal compliance will cause issues.
Whilst you can’t currently hire someone with vast experience of GDPR (because it hasn’t yet come into effect!), you are able to tap into data protection and privacy experts who have are well qualified and suitable who are subject matter experts and to whom GDPR will not be a game changer. Within our network are subject matter experts that have worked in in data protection and privacy for many years.
You can appoint someone permanently or outsource this role to a third party – such as a data protection consultancy.