As of the 25th of May 2018, businesses and retailers based in the EU, have customers that reside in the EU, and handle the personal data of EU citizens, will have to comply with new data protection regulations: the GDPR (General Data Protection Regulation).
GDPR represents the most significant change in data privacy regulation in 20 years. Organisations which fail to adhere to the GDPR’s data compliance rules will receive fines of 4% of the business’ worldwide turnover, or €20 million, depending on which amount is greater. And, under GDPR, the Data Protection Authority (DPA) must be informed of data breaches within 72 hours of that breach being detected.
As a result, the GDPR mandates that all public sector organisations and many private sector organisations designate a Data Protection Officer (DPO) who will take ownership of data management and ensuring the organisation’s compliance with the GDPR.
Under Article 37 of the GDPR, DPOs are only mandatory where an organisation’s core activities consist of:
- Data processing operations which require regular and systematic monitoring of data subjects on a large scale or monitoring of individuals
- Processing a large scale of special categories of data (i.e. sensitive data such as health, religion, race, sexual orientation etc.)
- Data processing being carried out by a public authority or body processing personal data, except for courts operating in their judicial capacity
Failure to appoint a DPO where required will run the risk of receiving a fine of €10 million euros or 2% of the organisation’s worldwide turnover (depending on which amount is higher).
The Role of the Data Protection Officer
Appointed on the basis of ‘professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39’ (stated by Article 37), the DPO is a designated individual within an organisation who is responsible for overseeing and ensuring that organisation’s complete compliance with data regulations – including both the Data Protection Act and GDPR.
DPOs ultimately manage, monitor and assess an organisation’s data processing and management to determine whether the business is GDPR compliant. Furthermore, the DPO devises the data protection policies and procedures that bring an organisation into compliance with GDPR regulations, including implementing new policies, educating staff on data protection, assigning responsibilities, and handling data requests.
To help Data Protection Officers in conducting their activities, they can:
- Request company resources to fulfil their job functions,
- Access the company’s data processing personnel and operations – as their job performance is highly dependent on these factors,
- Operate with a level of independence from the employer – and cannot be penalised or dismissed for performing their tasks,
- Report directly to the highest management level of the company (the board, trustees, CEOs, founders) and the company is legally obliged to give them the support they need.
Also, the Data Protection Officer devises the policies and procedures that bring the organisation into compliance with regulation, monitors the implementation of those policies, ensures the professional development of staff in regards to data protection, assigns responsibilities and handles requests for data from the organisation.
Lastly, the Data Protection Officer must ‘inform and advise the controller or the processor of their obligations’ as well as ‘document this activity and the responses received’ and be involved with all issues, scenarios and occurrences related to the protection of personal data.
The GDPR sets out the minimum tasks a DPO must take, which are:
- Informing and advising their colleagues of their data protection obligations
- Monitoring compliance with the GDPR and the organisation’s data protection policies
- Providing advice regarding Privacy Impact Assessments
- Co-operating with the relevant supervisory authority
- Acting as a contact point for the supervisory authority on data processing issues
It is important to note that while DPOs do not need to be legally qualified, they must have demonstrable expertise, including expert knowledge of data protection law and practices, as well as an understanding of an organisation’s technical structure and IT infrastructure.
What is your next step?
Consider that 95 percent of all security incidents involve human error, organisations should be investigating the recruitment of a DPO now. The longer they delay, the greater risk they are placing upon their business. Some may think that this EU directive doesn’t matter in the wake of Brexit – but this is false. GDPR will be introduced irrespective of Brexit or when Article 50 is invoked. A failure to act now could result in businesses sleepwalking into large financial penalties and reputational damage.
To find out more about how DataRaze can assist in ensuring you remain GDPR compliant, contact us today https://dataraze.com/contact/