The purpose of this piece is to give an overview of upcoming DPO/Data protection officer requirements.
This is part one in a three part series exploring Data protection and GDPR.
EU GDPR (General Data Protection Regulation) legislation comes into effect on 25th May 2018. While that date may seem a distance away, many organisations have had plans in motion as early as 2016 due to long compliance lead-times.
The legislation is not about data security or waterproofing, it is specifically aimed at EU citizen personal-data – their names, email addresses, even IP addresses. Basically, any data that can be used to identify your customers.
While the legislation is has been signed-off into law, interpretations of some practical applications and definitions are ongoing (see ‘working party 29’ group, the EU GDPR advisory body).
It (GDPR) is not about public or private data, it’s about personal and non-personal data
What is a Data Protection Officer?
The GDPR is an extension of existing legislation in EU and individual member states (2009 EU data protection rights/Fundamental rights under the Lisbon treaty) – and little has changed in terms of the spirit of the law.
What has changed is how breaches of the law are penalised, and by extension, how personal data handling must now be managed in organisations. There are now real reputational and financial penalties in place for non-compliance.
GDPR has introduced a number of requirements, one of which is the appointment of a Data protection officer if you fall under one of the categories below;
- If your organisation is a public body
- A private corporate processing medium to large scale amounts of personal data
- Where you are a data controller processing large scale special category personal data
Previously a shared function
Currently, most of these types of organisation assign data protection responsibilities as a hybrid job function; possibly a subject matter expert on site who is the data privacy champion, or a legal professional with added responsibility.
Under GDPR, this arrangement is no longer permitted. This must be a stand-alone position within the organisation, with the job-holder having only ‘Data protection officer’ as their title and remit.
“Data protection is incompatible with authoritarian top-down organisations. It also needs to be culturally separate; similar to the compliance function in many Financial services organisations”
The DPO may need support depending on the size of the organisation and the personal data exposure. Project managers/Business analysts may be needed for implementation/privacy by design concerns for ongoing/new projects, and training programs for the wider organisation will likely be necessary.
As ‘the front line’ is where personal-data breaches are most likely to occur in future, a lack of official training for your front-line data processing staff will (probably) mean the strength of a defence in the event of a court appearance will be diminished.
Also, while the Data protection officer does not need to be a qualified legal professional, legal sign-off will likely be required in terms of data protection audits (and for data privacy assessments for high risk organisations – mandatory under the legislation) and decisions affecting the wider business.
Finally, executive backing/sponsoring of the function will be critical for ensuring success – with governance steering committees for larger businesses.
The DPO will need access to all areas, and enough clout to have their requests acted upon.
Finsearch professional recruitment provide data protection recruitment solutions on all aspects of GDPR recruitment & compliance, from sourcing Data Protection professionals, legal talent, Business Analysts and Project Manager, contractors – on both a permanent and contract basis.
Contact us here or call us in Dublin on 00 353 1 556 344 to discuss further, or email on firstname.lastname@example.org
Contact us today.
Please share this article with your network