Does your organisation need to appoint a Data Protection Officer? Under the GDPR, a Data Protection Officer (DPO) must be appointed for all “public authorities”, and those organisations where the core activities involve “regular and systematic monitoring of data subjects on a large scale” or where the organisation conducts large-scale processing of “special categories of personal data” (such as that racial or ethnic origin, political opinions, religious or philosophical beliefs and so on).
This is a massively important role – at least until we are all much more familiar with the regulatory requirements of the GDPR. The Regulation indicates that a DPO must have “expert knowledge of data protection law and practices.” They will be regarded as the link between all those data subjects whose data you are holding and your business. They will be the link between your business and the Information Commissioners Office (as the regulatory body within the UK). They will have to assess and manage risk. They will have to carry out data protection or privacy impact assessments. They will have to ensure your business is GDPR compliant and they will have to ensure that all staff are trained on collecting, storing, processing and retaining data. This is a massive job.
Arguably this is a full time job and we are concerned that most people will not fully understand the responsibility of the role. Do not fall into that trap.
The DPO’s most significant requirement is a solid understanding of the GDPR. Whilst there is no requirement for the DPO to be legally trained, you should be thinking about making you’re your DPO is suitably skilled, so consider training for them, what resources they will have available and what assistance they require.
We have boiled down the necessary skills as follows:
- Sufficiently familiar with the concepts and practical interpretation of data protection and privacy;
- A good communicator, as they will have to be able to create and curate a data protection culture within your organisation;
- Organised, as they will have to project manage your implementation plan, from audit to delivery;
- Ethical, as the DPO will in some organisations be placed in a potential conflict of interest position, for example if they know that compliance will require an investment into a new IT system costing £50,000, but they are also remunerated on the basis of profit, they need to realise that the company takes precedence,
- Senior, as they are required to report to the managing board on the risks and potential solutions, and
- Visible, as they will be expected to have a sufficient profile within the organisation to properly spread the word.
If you are the DPO or you feel your organisation needs a DPO, then Gilson Gray can offer assistance and training for the DPO to ensure that they possess the necessary skills and are given access to the right resources. We are also currently assisting a number of DPO’s simply as a ‘colleague down the corridor’ or someone to take a second opinion from.
Time is running out, the GDPR will come into force on the 25th May 2018, don’t get caught out! Click here to read our 12 steps to GDPR compliance.