Do I need a Data Protection Officer?
Find out who needs a DPO
The GDPR which became legally binding on the 25th May 2018, brought in the concept of a Data Protection Officer. The main purpose of the DPO is the protection of personal data. The Data Protection Officer works works with an organisation to ensure compliance with GDPR. The DPO also acts as a hub for the exchange of information between the authorities who supervise GDPR compliance, data subjects and all sections within the organisation.
DPO. Who needs one?
If your organisation fits into any of the following three categories, then it needs a DPO:
- All public authorities and bodies. This includes governmental departments.
- Where the main actions of the organisation comprise data processing operations, whether as controller or processor, which need regular and systematic monitoring of individuals on a large scale.
- Where the main activities of the organisation involve dealing with special categories of data (health data) or personal data relating to criminal convictions or offences.
Wide range of public authorities or bodies
The usual suspects are included, national,regional and local authorities but it also covers a range of other bodies governed by public law.
If your organisation is carrying out public tasks or exercising public authority, then it should appoint a DPO.
What is large scale processing ?
Large scale is not defined in the General Data Processing Regulation. There are a number of matters which should be considered such as:
- The number of data subjects concerned
- The volume and or range of various data items being processed
- For how long will the processing last
- What geographical area does the processing cover
What is meant by regular and systematic ?
Working party 29, which is made up of the EU's data protection authorities interprets regular as:
- Ongoing or occurring at particular intervals for a particular period and/or
- Recurring or repeated at fixed times
Systematic can mean one or more of the folllowing:
- Occurring according to a system
- Pre-arranged, organised or methodical
- Taking place as part of a general plan for data collection
- Carried out as part of a strategy
What qualifications should a Data Protection Officer hold ?
The required qualifications are not defines in the GDPR. Article 37.5 of the GDPR states that a Data Protection Officer
“shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
Organisations should take into account the scale, complexity and sensitivity of their data processing operations, when considering the qualities and qualifications of a Data Protection Officer.
Conflict of interests should be avoided at all costs. The DPO should never be in a situation where they can decide the purpose and use of personal data collection.
Where a DPO is appointed you will be required to publish their contact details and communicate theis information effectively.
Where can I get some help with GDPR compliance ?
Spread the knowledge. If you found this article useful, please like and share using any of the social buttons below.