Do you need a Data Protection Officer?
The GDPR introduces a new role of Data Protection Officer which is very similar to the role of Compliance Officer in a regulated environment.
Who must have a Data Protection Officer?
- All public authorities and bodies (all educational establishments should assume they will have to appoint a DPO).
- Any organisation that undertakes regular and systematic monitoring of individuals on a ‘large scale’ (for example, online behaviour tracking).
- Any organisation that processes special categories of data (sensitive personal data) on a ‘large scale’. (There is currently no clear guidance about what ‘large scale’ means; it is left to organisations to decide.)
The Data Protection Officer appointed must have professional experience and knowledge of data protection law, although they can be a member of staff or it could be contracted out externally.
The duties of a Data Protection Officer
Their duties include:
- monitoring and updating the company’s processing policies, procedures and practices
- maintaining a breach register
- liaising with the ICO regarding serious data breaches
- completing Privacy Impact Assessments (where needed).
Authority and Empowerment
The Data Protection Officer appointed can be a member of staff or it could be contracted out externally, but they must have professional experience and knowledge of data protection law. However it is important that the Data Protection Officer has authority and be empowered to carry out their role, and must report to the highest management level in your organisation. In addition, the person appointed cannot be disciplined, disregarded or dismissed for carrying out their role because the people at the top don’t want to do it.
This information is from our online training course: An Introduction to the GDPR. The course costs £9.50 and is available to buy online.
The course is also included in all our multiple course training packages.
Contact us to find out more
Introduction to the GDPR
On 25th May 2018, the General Data Protection Regulation (GDPR) will become law in all European member states, including the United Kingdom who will still be a member at that time.
Read more