The requirements of the GDPR are significant, and even if you currently comply with existing regulations, you may need to update your current policies, develop new ones, and ensure that these are properly documented. This will necessitate, time, effort, and costs.
“But do I need to appoint a Data Protection Officer, if I haven’t already?”
Well, it is most important that someone in your organisation, or an external data protection advisor, takes responsibility for data protection compliance, and that you assess where this role will sit within your business structure and governance arrangements.
Such a person should have the knowledge, support, and authority to carry out their role effectively.
The obligation to appoint a Data Protection Officer (DPO) applies to both controllers and processors and you MUST formally designate a DPO if you are:
An organisation may appoint a DPO, regardless of whether the GDPR obliges you to do so. If you are not required to appoint a DPO, you still must ensure that your organisation has sufficient staff and skills to discharge your obligations under GDPR.
The DPO is responsible for monitoring compliance with the GDPR, providing information and advice, and liaising with the supervisory authority, (the Information Commissioners Office in the UK).
The Regulation defines the minimum tasks of a DPO as:
This is an important role and the DPO must:
The role of the DPO can be allocated to an existing employee and it does not have to be a full-time role. However, this applies only if the professional duties of the employee are compatible with the duties of the DPO and does not lead to a conflict of interest.
You can also contract out the role of the DPO externally.
The GDPR does not specify the precise credentials a data protection officer must hold, but it does require that they have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, considering the level of protection the personal data requires.
You should consider if your organisation is required to formally appoint a DPO under the Regulation. Even if you are not required by the GDPR, you may consider it to be worthwhile. If you do not appoint a DPO, you should determine who in your business will be responsible for data protection compliance.
In either case, you should prepare a job specification outlining the role and responsibilities and appropriate reporting lines.