Over the past few weeks we’ve been exploring aspects related to the new EU data protection law (GDPR) which will come into effect in 2018.
GDPR, or General Data Protection Regulation, will affect all EU countries and any business who deals with people who live within the EU.
It’s an enhancement of data protection laws and brings in new obligations regarding matters such as data transfers, breach notifications, data subject consent and data anonymization.
Recently, we have looked at what is GDPR and how you can start to get ready now. This third part in the series we will be looking at one of the most important roles under GDPR, the Data Protection Officer (DPO). To catch up, find part 1, and part 2 here.
GDPR: Who needs a Data Protection Officer?
In general, DPOs will be required by public authorities and companies who regularly gather personal data. That’s quite non-specific criteria, but essentially if your business deals regularly with personal data, the obligations with regards to GDPR are likely to mean that you will need someone dedicated to ensuring that you comply.
Your DPO will need expert knowledge of data protection laws, which means either you need to upskill someone who already works in a similar role prior to GDPR coming in, or you need to hire someone new.
The International Association of Privacy Professionals estimates that 28,000 Data Protection Officers will be required in Europe and the US alone, so competition for qualified individuals is going to be high.
Therefore it is important that businesses are thinking about this and acting now to ensure they are ready for when the new law comes into effect.
GDPR: What Will Your Data Protection Officer Do?
Article 39 of the GDPR summarizes the tasks that the DPO will undertake:
- To inform and advise the entire company about its obligations to this regulation.
- To monitor compliance with the regulation including assigning responsibilities to others, awareness raising and training.
- To monitor the company’s data protection impact assessment and report back on it when required.
- To comply with the supervisory authority.
- To act as the authority’s contact point.
The Data Protection Officer also has a legal obligation under the regulation to notify the supervisory authority when a data breach occurs and they must do within 72 hours.
GDPR: Business Obligations to Data Protection Officers
One of the crucial requirements is that the DPO remains independent. While they are a part of your company, their role is to be an auditor, ensuring an objective view upon data protection. Furthermore, they must be allowed to act in accordance with the regulation without fear of being penalised or losing their job for doing so.
This will especially be important with regards to data breaches where the trend previously has been for companies to want to ensure that news of a breach is kept enclosed to try to lessen the PR impact.
Legally, DPOs must inform the supervisory authority of a breach within 72 hours and businesses need to support them in doing so.
Companies must also be able to demonstrate that they are giving their DPOs the time, resources, access to information, ability to communicate with all staff and continuous training to enable them to do their jobs to the best of their abilities.
How Do You Know If You Need a Data Protection Officer?
One of the key things to do is carry out a business process audit to examine the personal data that you currently hold, where you store it and why you are keeping it and then set processes in place for how you will store and gather such information in the future.
erwin can assist you with this so get in touch with us today to find out more.