The General Data Protection Regulation (GDPR) has had a major impact on the way organisations around the world do business. Introduced into EU law in May 2018, GDPR was designed to create a European standard of data protection, to give EU citizens more power and control over their data, and change the way organisations approach data privacy. The exact procedures which must be followed by organisations covered by GDPR are complex, and it is expected that businesses will devote many resources to ensure that they are fully compliant. This may include implementing new technical safeguards such as encryption, rewriting business contracts with third-parties, or hiring staff such as data protection officers (DPOs) to oversee compliance. The role of a DPO will be discussed later in this article.
GDPR has different implications for organisations depending on how they handle data. In the language of the regulations, there are two broad categories; data controllers, who determine the purpose and means of how customer data is processed, and data processors, who process personal data on behalf of the controllers. It is possible that an organisation may fall into both of these categories. According to Article 25 of GDPR, it is the duty of the controller to “integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects”.
What is a DPO?
According to GDPR, controllers and processors who run processing operations which require regular and systematic monitoring of data subjects (members of the public) on a large scale or of special categories of data relating to criminal convictions and offences must hire a data protection officer (DPO). Article 38 of GDPR addresses the relationship between controllers and processes and their data protection officers directly; “the controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data”.
According to GDPR, a DPO:
- may be an existing member of staff at the organisation who is retrained to fill the role or an external service provider
- must be provided with the resources required to perform their role to an appropriate standard and maintain a good level of performance
- must report directly to the highest level of management in the organisation
- must not carry out any other tasks or roles within the organisation which may result in a conflict of interest
- must be hired as the DPO based on their professional record and knowledge on data protection laws and practices
Who Needs to Hire a DPO?
It is important to note that while GDPR is an EU law, it is not just organisations based in the EU who are legally required to be compliant with its rules. Any organisation that collects data within the EU are covered by the regulations, regardless of the physical location of its headquarters. This stipulation is particularly important in the age of the Internet and the global multinational organisations. Many organisations may consider themselves exempt from GDPR as they do not realise GDPR covers any organisation working within the EU. However, ignorance of GDPR is not an excuse for a violation, and the fines are hefty; the maximum penalty is either a fine of €20 million or 4% of the company’s annual turnover-whichever is higher.
It is important to understand what GDPR means by “personal data” when an organisation is assessing whether or not they need to hire a DPO. Personal data ‘means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller’.
In general, large organisations (defined as having more then 250 employees) process large quantities of data, so are expected to hire a DPO. Similarly, all public authorities should hire a DPO under GDPR. For smaller organisations, the situation is more complicated. While most small businesses are not required by GDPR to hire a DPO, there are some notable exceptions. If a small business processes large amounts of personal data, participate in large scale systematic monitoring of people or if they process information that may be categorised under a “special class” of personal data, a DPO should be appointed. The special classes of personal data, include:
- the racial or ethnic origin of a subject
- the political opinions or the religious or philosophical beliefs of the data subject
- trade-union membership of the data subject
- the physical or mental health condition or sexual life of the data subject
- biometric data
- genetic information
Even if a small business is not covered by these stipulations, it still may be a good idea to appoint a DPO if it is within the financial means of the organisation. Although appointing a DPO may be costly initially, the expertise they provide in ensuring that the organisation remains fully GDPR-compliant is worthwhile considering the penalties levied against those found to be in violation of the regulations.
Responsibilities of a DPO
The primary responsibility of a DPO is to ensure that the personal data of data subjects is protected in line with the standards outlined in GDPR. A thorough understanding of privacy laws is fundamental to achieving full compliance with GDPR. The other responsibilities of a DPO include:
- the education of staff on subject data rights and their responsibilities under GDPR
- advising to senior management regarding GDPR compliant business practices
- monitoring activities across the organisation to ensure they are GDPR compliant
- cooperation with the Lead Supervisory Authority
- assessing IT systems, computer networks and data protection safeguards to ensure they are of the required standard
- notifying data subjects in the event of a data breach
Aside from being a legal requirement for many organisations, the appointment of a DPO is essential for navigating the complexities of GDPR. DPOs are an integral part of implementing organisation-wide GDPR-compliance, ensuring that every aspect of organisational operations maintain personal data privacy.