“Data protection governance and oversight”
The General Data Protection Regulations (GDPR) will apply fully in the UK from 25th May 2018. The regulations talk about the appointment of a data protection officer (DPO).
For public authorities (except for courts acting in their judicial capacity) it is mandatory to appoint a DPO, as it is for any organisation:
- carrying out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carrying out large scale processing of special categories of data or data relating to criminal convictions and offences.
Otherwise businesses must ensure that their organisation has sufficient staff and skills to discharge their obligations under the GDPR and so they may appoint a DPO if that helps them meet this criteria.
DPO’s must have professional experience and knowledge of data protection law. This should be proportionate to the type of processing the organisation carries out, taking into consideration the level of protection the personal data requires.
The DPO’s minimum tasks are defined in Article 39:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
- Report to the highest management level of the organisation – i.e. board level.
- Be able to operate independently and not be dismissed or penalised for performing their task.
- have adequate resources provided to enable them to meet their GDPR obligations.
Naturally the role of DPO can be allocated to an existing employee, as long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.
The good news is that there is nothing stopping the role being contracted out externally. If you would like Crimson Crab to act as your DPO please get in touch to find out more and get the ball rolling.