The UK’s new Data Protection rules (GDPR) will come into force in May 2018. They will require that some organisations must appoint a data protection officer (DPO). Even if your organisation is not obliged to appoint a GDPR DPO, you may decide that a DPO is a good idea to help you discharge your organisation’s data protection obligations.
The UK’s new Data Protection Bill is in its final stages of preparation, and some of the expected guidance has been published by the regulator, the Information Commissioner’s Office. Here are some general pointers to help guide your preparations for the new laws.
When should we start preparing?
Data protection laws have existing in the UK for about 20 years, but much has happened since the first rules were introduced. There is no need to take any specific action to appoint a Data Protection Officer straight away, but you may find it easier to adapt your current data procedures and policies if you start to think about the new rules. We think that there may be risks in making quick decisions at a time when it is not clear how the large players in the market will implement the new rules. However, there may be a shortage of suitable candidates for Data Protection Officer roles, and there is no rule to say that you cannot appoint a DPO now.
Do we need to appoint a Data Protection Officer under the GDPR?
You MUST appoint a GDPR DPO if your organisation is:
- a public authority (other than courts); or
- carrying out large scale systematic monitoring of individuals; or
- carrying out large scale processing of special categories of data; or
- carrying out large scale processing of data relating to criminal convictions and offences.
Those categories mean that DPOs will probably only be appointed by a relatively small number of organisations. If you are unsure whether you carry out “large scale” systematic monitoring or processing of relevant data please contact us.
You MAY appoint a DPO in all other circumstances. Even if you don’t appoint someone formally to the role, it may be useful to have someone at board level and/or a member of the senior management team taking the lead on this important area of work.
What will a GDPR DPO do?
The DPO’s minimum tasks are defined in Article 39 of the GDPR:
- inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws;
- report to the highest management level of the organisation;
- monitor compliance with the GDPR and other data protection laws;
- manage internal data protection activities;
- advise on data protection impact assessments;
- train staff
- conduct internal audits; and
- be the first point of contact for third parties.
If you would like to refer to the relevant GDPR Article, please click here.
A DPO can also perform other tasks, so the role could be combined with someone who deals with company secretarial matters, or other tasks that require similar skills.
What support must the organisation provide?
The organisation must provide adequate resources to allow DPOs to meet their obligations. GDPR DPOs must also operate independently, and cannot be dismissed or penalised for performing their tasks. This means that Data Protection Officers have more protection from unfair dismissal than other employees. If you are going to appoint a DPO you may therefore need to review your employment handbook and employment policies too.
Does the GDPR DPO have to be an employee?
A DPO can be an existing employee, a new recruit or you can contract out the role to a third party service provider. A DPO may work for one organisation, or any group of organisations. In all cases, the professional duties of the DPO will need to be compatible with the duties of the role, so that there are no conflicts of interest. A DPO should have relevant professional experience and knowledge of data protection.
How can Counterculture help?
We are preparing to launch a DPO service to our clients and contacts. Our package of services will cover all of the obligations set out above. We’ll also make sure they are flexible, so that we can provide a level of service that is appropriate to your organisation. Counterculture will be gathering together our solicitors, change management specialists, company secretaries and those experienced in training to make sure our new GDPR DPO service is as comprehensive as possible.
If you would like to receive more information early in 2018, please contact us to register your interest. If you need more bespoke help with a data protection audit, preparing reports or guides, policies, procedures or training guides, please contact Keith Arrowsmith.
If you do not think you need a DPO, but would like assistance in planning for the new regulations, then we can offer audit, review, reports and other bespoke packages of support and advice.
Originally published 11 December 2017