This section of our GDPR blog series covers what a DPO is, whether your business needs one and outlines the responsibilities, qualifications and role of a DPO. This mandatory position ensures that your organisation is compliant with the European Union’s General Data Protection Regulations (GDPR)
A Data Protection Officer (DPO) is a position within an organisation who ensures that a company’s data management is in line with the European Union’s General Data Protection Regulations (GDPR). This role is also responsible for the implementation of processes within your business that protect the data collated, used and stored by your business.
What Qualifications Does a DPO Need to Hold?
There are currently no certifications awarded to a DPO and they do not need to have any specific qualifications. However, article 37 of the EU GDPR (entitled “Designation of the Data Protection Officer”) states that “expert knowledge of data protection law practices” are required. A DPO could be a current employee within your organisation and can also oversee the data protection processes of multiple sites within an organisation (dependant on structure and size of the company.) Alternatively a company could outsource this role to an outside individual or organisation.
Responsibilities of a DPO:
Ensuring the company is complying to data protection regulations and addresses any infringements in a timely manner.
To train all internal (and in some cases external) employees on the regulations and processes required to protect data collection, usage and storage within he business.
As the number one contact to GDPR supervisors.
Following procedures and regularly updated and analysing the organisation’s data protection policies and methods.
To retain all records of data protection processes, any amendments, reasons for any changes, dates and person responsible for the change/s. Also, to ensure that a process is set up to provide changes by public request.
For communicating to data subjects how their data is used, the means by which it is protected and their ‘right to be forgotten’.
The UK is expected to leave the EU in March 2019. GDPR compliance is obligatory for organisations collating, processing or holding data of EU citizens. For a summarised introduction to the GDPR regulations, read our previous blog in this series 'GDPR Guide, Business Tools and Jargon Free Info'.' Your business will need to hire a DPO before May 2018. The sooner you instate a DPO, the better qualified and informed the individual will be with regards to data protection. The contact details of your newly appointed Data Protection Officer must be communicated to the Lead Supervisory Authority (LSA). For instance, in the UK’s case, the LSA is the Information Commissioner’s Office (ICO).
If you have found this blog helpful, subscribe to our blog to receive further tips, tools and advice directly into your inbox. To discover more about GDPR and your responsibilities as a business, take a look at our GDPR Guide and get clued up in time for the May 2018 deadline.