GDPR: Guidance released on appointing a Data Protection Officer
The EU’s General Data Protection Regulation (GDPR) is set to take effect within the UK from 25 May 2018. GDPR is aimed at unifying data protection across the EU Member States whilst increasing the data rights of individuals and placing more obligations on those who process data.
The GDPR requires some businesses to appoint a data protection officer (DPO) in certain circumstances. The Information Commissioner’s Officer (ICO) and the Law Society have released guidance on appointing a DPO to help organisations with this process.
Under the GDPR, employers will have to appoint a DPO where they:
- Are a public authority;
- Carry out large scale systematic monitoring of individuals (such as tracking of online behaviour); or
- Carry out large scale processing of special categories of data or data concerning criminal convictions and offences.
Under the GDPR, DPOs will be responsible, as a minimum, for:
- Informing and advising the business and its employees about obligations under the GDPR and data protection laws;
- Monitoring compliance with the GDPR and data protection laws, including carrying out internal training, conducting audits and managing activities; and
- Being the notified person for individuals and regulatory authorities to contact first with regards to GDPR and data protection laws.
Although the GDPR outlines circumstances where organisations have to appoint a DPO, employers can choose to voluntarily appoint a DPO. The Law Society advises it will be good practice to have a DPO and will be a useful way of showing the organisation’s commitment to meeting compliance obligations.
Importantly, the DPO does not have to be a new member of staff. The role of DPO can be allocated to an existing employee so long as there is not a conflict of interests between the employee’s current duties and the duties of the DPO. The Law Society suggests employers should consider if the individual has appropriate levels of expertise, knowledge and resources to carry out DPO duties, taking in to account the type of processing carried out by the organisation.
Appointing a DPO will meet the requirements under GDPR and will help organisations achieve compliance with their data protection obligations. It’s important to remember, however, that DPOs will not be deemed to be personally responsible where the organisation fails to meet GDPR obligations. The liability for a breach will remain with the organisation, therefore, its imperative the DPO is given sufficient resources, training and support to help the business achieve full compliance.