When the GDPR, the European Data Protection Law, became official in May 2018, it did not only start a new system of data protection law for personal data relating issues but also new data protection obligations and procedures to follow to comply with what GDPR asks from the organisations that fall into its scope.
In other words, every organisation processing personal data under the scope of GDPR must-have business systems and data processing operations that follow the GDPR principles for data security.
To appoint a DPO (when applicable) and support the DPO’s tasks is part of this compliance.
A data protection officer (DPO) is required under the Data Protection Act in certain circumstances.
Data controllers and processors shall appoint a DPO when processing is made by public authorities (except courts acting in their judicial capacity or organisations acting in a judicial capacity), and where the core activities require regular and systematic monitoring of data subjects at a large scale processing (e.g., social media, search engines, etc.), or/and if their processing has a large scale of special category data (or data relating to criminal convictions).
The geographical extent of the processing operations is also relevant when considering the GDPR guidelines.
Why is a data protection officer important for GDPR?
Six principles sustain the data protection law, although it’s important to clarify that these principles only apply to the activities of data controllers, and they don’t directly apply to data processors.
What is the difference between both roles?
A data controller is a natural or legal person, public authority or body, agency, or other entity that alone or jointly with others, determines the purposes of the processing of personal data.
On the other hand, a data processor is the one that processes personal data on behalf of a data controller. Almost all organisations can perform any or all of these three roles, even at the same time, depending on the specific processing activity; the processing activity will determine the role.
Accountability and Transparency
One of the aforementioned principles is “fair, lawful and transparent processing” for the core activities. This can be applied in many ways, as we will explain now.
For data controllers, the capacity to interpret data protection law to demonstrate accountability is fundamental if they wish their key operations regarding processing data activities to be lawful. Accountability means taking responsibility and actions towards demonstrating compliance with GDPR, while transparency relates to openness and accuracy when processing personal data and sensitive data.
Transparency also refers to the ability of the organisation to keep data easily accessible and easy to understand for data subjects and the relevant supervisory authority, a public authority or body if applicable, and to be unambiguous when communicating with individuals about their GDPR rights.
Examples of how to ensure compliance with these principles are varied, such as a privacy notice available on an organisation’s website, easy access to data subject access requests forms, clear retention periods for every data processing activity, right to opt-out from a newsletter if the data subject decides to, and have a contact point between the organisation and the data subjects and other entities (e.g. a public authority).
This point of contact for an organisation’s personal data processing matters is usually the data protection officer (DPO) or the data protection manager (DPM). Both have the same legal status, and the organisation will decide to appoint a DPO depending on the nature of the processing activities.
What is a data protection officer (DPO)?
A data protection officer is a qualified advisor with expert knowledge that guides data protection compliance within organisations in their data-relating activities, including special categories.
A data protection officer is required for monitoring GDPR compliance in certain circumstances.
Data controllers and processors shall designate data protection officers when processing operations are made by a public authority (except courts), their processing requires regular and systematic monitoring of data subjects at a large scale (e.g., social media, search engines, behavioural advertising, etc.), or if their processing has a large scale of special categories of data (or personal data relating to criminal convictions and offences).
It is advisable to outsource a data protection officer when there is a conflict of interests when monitoring compliance.
Duties of a DPO
Data protection officers can become involved at any stage of an organisation’s compliance journey, offering their professional qualities whether from the very beginning by applying the principle of “data protection by design”, this means, the responsibility of the controller to integrate security measures for all the processing of personal data from a physical and organisational point of view (internal data protection policies, IT, pseudonymisation, data sharing agreements, audits, staff training, data protection impact assessments, processing of sensitive data -such as health data-, data breach reporting, etc.), or whether it is by using “data protection by default” which means only minimum personal data to be collected for specific purposes.
Mechanisms such as strict privacy settings, clear retention periods, and transparent communication with data subjects about the handling of their data and their rights are key aspects of a good data protection culture, related also to the “data minimisation principle”, one of the fundamental rules of data protection; to process information that is adequate, relevant and limited to what’s necessary.
This also includes a regular review and update of the framework, keeping the organisation up to date with the latest technologies and guidelines of GDPR and the European data protection board.
A DPO can be a senior member of the organisation; this role can be outsourced based on a service contract when there is an incompatibility between roles (e.g. CEO, chief operating officer, chief financial officer, etc.), or when the organisation decides it’s convenient for its core activities.
Guarantees for A DATA PROTECTION OFFICER (DPO)
In any case, the DPO must be offered enough resources to perform with success in its role, oversee data protection procedures through regular and systematic monitoring to ensure compliance with GDPR and the right handling of customer data, and provide advice.
The tasks referred to in detail can be found in Article 39 of GDPR.
Independence, transparency, and support for the DPO to perform their duties independently and efficiently inside the organisation it’s essential to demonstrate GDPR compliance. The organisation must ensure that the DPO is involved in all issues for data protection of personal data.
A DPO operates independently and a DPO reports directly to the highest management level of the controller or processor entity and cannot be fired by the controller or processor for doing their job. This is protected by law and infringing it could lead to heavy fines for the organisation.
What happens if a company doesn’t have a DPO?
First of all, not every organisation needs to have a DPO. Some organisations may have a data protection manager, champion or lead, depending on the needs of the organisation.
There are legal reasons established by the GPDR for an organisation to comply with the appointment of a DPO, reasons related to the type of organisation and the type of processing activity.
If an organisation decides not to have a DPO, this must be demonstrated, documented and subjected to periodic review, and available for supervisory authorities.
Organisations are also required to publish their DPO’s details and provide them to the relevant supervisory authority (e.g., the Information commissioner’s Office).
The importance of good compliance culture
When an organisation takes the responsibility of working with a DPO, a culture of good practices is important to meet its DPO obligations correctly. This means providing support and resources for the DPO, ensuring their independence and considering their advice in a timely manner in all personal data processing activities.
THE RISK OF FINES
Worst case scenario, if an organisation fails to support the independence, autonomy and necessary resources for the DPO to perform their role can lead to fines of up to £8.7 million, or 2% of worldwide annual turnover, whichever is higher.
How can PropelFWD help you?
PropelFwd can help you outsource a Data Protection Officer (or manager) that understands your organisation, your personal data processing activities, and your data protection issues.
If it is not a mandatory requirement to appoint an internal or external DPO, forward-thinking organisations are choosing to appoint a Data Protection Manager (DPM), to help regulate their data protection responsibilities and to boost the confidence level of their customers especially if the business deals with a large scale of processing.
Does your organisation need a data protection officer dpo?
DPOs are independent data protection experts and outsourcing your DPO could avoid the issues of conflict within your organisation, can be more cost-effective and gives access to the knowledge and experience required to fulfil this very important role.
Get in touch with PropelFwd to discuss the appropriate way forward to handle your data protection requirements. Our services can be tailored to meet the needs of your business and provide you with the confidence you need that your data protection requirements are being met.
Whether your organisation chooses to have a data protection officer or a data protection manager, this role is fundamental for the compliance of personal data processing core activities, whether this is on a small or a large scale. Let’s remember that GDPR was created to protect the data subjects and to set limits and regulations on how organisations make use of this information.
It also supports data subjects concerned about their data.
When an organisation applies appropriate measures to ensure security towards confidentiality, access and integrity of personal data, it shows commitment to the protection of data subjects’ rights and a strict observance of GDPR principles.
If your organisation doesn’t have a DPO or a DPM yet, contact us to have a chat, we are always here to help.