What Does a GDPR Data Protection Officer Do: Do You Need One?
One of the biggest considerations when it comes to the adoption and implementation of the General Data Protection Regulation (GDPR) is the requirement of hiring a Data Protection Officer (DPO).
Have you found and hired or designated the right candidate to serve as your organization’s DPO?
Or maybe you haven’t yet launched your search because you need more information?
While you still have time to hire and prepare your DPO for his or her responsibilities, May 25, 2018 really is coming up fast. Right now may be the perfect time—or at least right in time—to dig deeper into this aspect of GDPR compliance to help you put all the pieces together for full compliance while finding, appointing and assisting your DPO settle into the role.
Why Has the EU Parliament Required the Appointment of A DPO For GDPR Compliance?
Article 39 of the EU GDPR has made the hiring or designation of a DPO a key component of the GDPR for companies whose data processing requires “regular and systematic monitoring of data subjects on a large scale,” notes IT Pro.
Further, this key role in the GDPR world is necessary when the organizations are public bodies that collect or process data, as well as organizations whose central activities focus on collecting, processing and storing data that involves religious beliefs, ethnicity, race genetic data, sexual orientation, trade union memberships, and criminal offenses and convictions. This personal information may belong to the organization’s employees, individuals outside of the organization, or both.
The EU Parliament has deemed that protecting such highly personal information, which potentially leaves the owner of the data open to discrimination and other negative repercussions if compromised in any way, needs a special caretaker to ensure its protection.
What Are the Responsibilities of A DPO?
The designated DPO of an organization has many responsibilities in his or her stewardship of data, including the following:
- Provides necessary education and training for executives, management and employees on important GDPR compliance requirements, along with any other relevant EU or Member State data protection laws. The DPO must regularly reinforce the message regarding the importance of their compliance.
- Conducts audits to ensure compliance. These audits also allow for the opportunity to catch and address potential issues proactively.
- Serves as the contact person between the organization and the GDPR Supervisory Authorities.
- Communicates with data subjects, informing them about how their data is being used; as well as their rights to have their personal data erased. He or she also provides information about the measures in place to protect their personal information.
- Prepares and maintains comprehensive records of all data processing activities, as well as the purpose of those activities, performed by the organization. The DPO must make these records public upon request.
- Oversees performance and provides advice on the effectiveness of data protection efforts.
- Monitors the risk associated with processing operations, considering the nature, scope, context and purposes of processing.
It is probably clear that this is a highly specialized position that, while working in tandem with IT, additionally requires some degree of legal and auditing knowledge and experience. He or she must also be able to effectively communicate a variety of information to individuals, small groups and large governmental bodies.
What Are the Qualifications of A DPO?
Before launching your search, it will help you to have a solid idea of just what qualifications and background you need to look for in your DPO candidates. The International Association of Privacy Professionals (IAPP) reports that many companies are treating the DPO position as merely an IT role without legal experience or as a compliance role with no risk or IT experience.
There is simply more to this position than either combination. Article 37.5 of the EU GDPR may add some insight into the specific requirements and qualifications you should seek in your DPO candidates:
“The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill tasks referred to in Article 39.”
Do You Need to Hire a DPO?
The short answer to this question for most companies is: it depends. Since all public organizations, such as government agencies and others who handle large swathes of data, your organization may fall under that category.
Remember the basic GDPR statute that any organization that processes data requiring systematic monitoring of subjects on a large scale is subject to this requirement.
Information Week notes that, beyond an organization’s HR data, companies should consider whether they process and manipulate a customer’s personal data. In that case, businesses like banks, healthcare bodies and credit card companies.
Do You Need to Hire Someone, Or Can You Outsource the Position?
You do not need to hire a permanent, full-time staff member to fulfill your DPO obligations. You may reach out to an expert in the field on a contracting basis, as long as his or her expertise aligns with your business data processing operations and according to the requirements of the GDPR.
Do You Need Help Finding the Right GDPR DPO for Your Organization?
If you still have questions or concerns about finding the right candidate to fill this crucial position to help you prepare for the GDPR enforcement deadline and beyond, you are far from alone. Many companies are struggling to understand the definition, requirements and scope of this position, as well as their own specific needs in fulling the position.
Our I.S. Partners, LLC. GDPR team of experts can help you sort it out so you can feel confident as you start your DPO search. We want to help you hire a qualified candidate and begin training them to make sure you feel as confident as possible before the GDPR goes into full effect.