In less than five months, the General Data Protection Regulation (“GDPR”) will come into force replacing the existing data protection framework under the EU Data Protection Directive.
From 25 May 2018, all organisations involved in any type of data processing will face new obligations in relation to how they process, manage and store personal data, and most significantly, may face more stringent financial penalties and fines for non-compliance and breaches - up to €20 million or 4% of global annual turnover whichever is the greater. To prepare, all organisations will therefore need to review their day to day procedures to ensure that business processes will comply with the new regulations.
If your organisation has not yet commenced a review of your requirements, a good place to start is to assess whether you need a Data Protection Officer ("DPO").
What is a DPO?
The role of a DPO is a new obligation under the GDPR where organisations are required to appoint an internal person responsible for ensuring the organisation’s compliance with the GDPR. The GDPR requires the designation of a DPO in three specific cases:
- Where the processing is carried out by a public authority or body (irrespective of what data is being processed);
- Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; and
- Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
The role of a DPO is comprehensive. When the GDPR becomes effective, the DPO becomes a mandatory role under Article 37. The GDPR requires that a DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks" set out under the GDPR.
Do you need specific skills to fulfil the role?
There is no particular qualification or certification specified in the GDPR, but consideration of the necessary skills and expertise should include:
- expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
- an understanding of the processing operations carried out;
- an understanding of information technologies and data security;
- knowledge of the business sector and the organisation; and
- the ability to promote a data protection culture within the organisation.
Where DPOs are members of the data controller’s organisation and have other duties, these cannot conflict with their DPO role, or be incompatible with their DPO functions e.g. there should be an element of independence from the management of an organisation.