The question of GDPR and a business’s need to comply has spawned so many experts and many more questions. All of which need considering. However, for organisations employing over 250 people, one question overall needs more consideration than any other.
Who is going to be your DPO?
The DPO requirement is one of the key significant changes being brought in under the GDPR. Under the Data Protection Act (DPA), organisations are not required to appoint a DPO. Under GDPR, many companies in the UK will now fall into the clearly defined category and will need to appoint a DPO.
For some companies, this has already been decided or even been in place for years and their DPO will need to be aware of the changes between the DPA and GDPR. If this isn’t the case for your business, then above all else you need to appoint your DPO now. For some businesses, this will be a fulltime position. For smaller businesses, this may be a part-time role. However, it’s really important to pick the right person!
The DPO’s minimum tasks are defined in Article 39 are:
- – To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- – To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- – To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
Under GDPR, an internal employee can be appointed, as long as the professional duties of the employee are compatible with the duties of the DPO, there is no conflict of interests and adequate resources are made available to them in order to carry out their duties. They should also have professional experience and knowledge of data protection law
Knowledge of the new requirements is one thing but being the correct individual is quite something else.
Here are some pointers:
- Someone with a good working knowledge of your business.
- Someone with an eye for the details.
- Someone who is respected by the business, reports to the highest management level of the organisation
If there is not a suitable internal employee, then businesses should look to contract out this role to an external resource as soon as possible.