Data Protection Officers Under GDPR
Under the new General Data Protection Regulation (‘GDPR’), due to come into force in May 2018, there will be legislative changes regarding the appointment of Data Protection Officers (‘DPOs’).
Article 37 of GDPR provides that a Data Protection Officer must be appointed if:
- the processing is carried out by a public authority or body (except for courts acting in their judicial capacity);
- the core activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope and / or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
Currently, in the UK, data controllers are required to register their data processing activities with the Information Commissioner’s Office (‘ICO’), unless they are exempt. Under the new GDPR this need to register and notify the ICO will change, and in its place will be a new requirement for organisations to comply with internal record keeping requirements.
A DPO must:
- be appointed on the basis of professional qualities and, in particular, must have expert knowledge regarding data protection law and practices;
- may be a staff member or an external service provider;
- ensure that their details are registered with the ICO;
- must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge; and
- may not perform any other tasks which could result in a conflict of interests.
A DPO will be responsible, amongst other things, for:
- advising an organisation, and their employees, of their obligations;
- monitor the organisation’s compliance with their obligations;
- being the direct point of contact for both the public and the ICO;
- to advise on data impact assessments and monitor their performance;
- reporting directly to the ‘highest management level’ of the organisation.
Although an organisation may not be compelled to appoint a DPO, the GDPR provides that an organisation may do so it so wishes (or if required to do so by other Union or Member State law).
Irrespective of whether your organisation is obliged to appoint a Data Protection Officer or whether you voluntarily choose to appoint one, you must ensure that your organisation has sufficient staff and skills to meet the new data protection compliance requirements.
If you are considering whether your organisation needs to appoint a DPO, please do not hesitate to contact us, and we will be happy to discuss your organisation’s requirements