The arrival of the General Data Protection Regulation (GDPR) will make it compulsory for organizations to appoint a data protection officer (DPO). Many businesses are now questioning whether a DPO is a necessity or a role that adds minimal value to the business.
To all those non-believers out there, a DPO shouldn’t be viewed as an inconvenience but as a benefit to business. Not only do they ensure GDPR compliance, preventing businesses from paying a hefty and unsolicited fine, they also provide an added level of scrutiny, which will put many business leaders at ease. With the increase in cyber-attacks, isn’t a DPO needed now more than ever?
What businesses should appoint a DPO?
There are three main instances where the appointment of a Data Protection Officer (DPO) is compulsory:
- If you’re are a public authority processing data
- If your core activity involves regular and systematic processing of data subjects on a large scale
- If your activity involves processing sensitive data on a large scale or if you handle data to do with criminal convictions/offences
In an ideal world, all businesses should have a DPO regardless of their size or sector, but we don’t live in an ideal world. Every business is responsible and accountable for other people’s data and so having a DPO is more than just a vanity project.
Having an individual who is responsible for monitoring and implementing policies, ensuring staff are trained in data protection, assigning responsibilities and handling requests for data, guarantees that businesses fulfil the GDPR requirements.
Should all businesses have a DPO?
The idea of a DPO has been thrust into the limelight since the introduction of GDPR. If you’re not aware that you need a DPO, then consider this…
As of 25 May 2018, public and private sector organizations must designate a DPO to take ownership of data management and ensure the organization’s compliance with GDPR. Does this mean you? Well, do you need an individual that will not only focus on data processes, but concentrate on driving the culture shift towards data protection within your organization?
The Role of the Data Protection Officer
The question isn’t whether a DPO is good or bad – they are necessary and should be at the heart of GDPR. They manage, monitor and assess an organization’s data processing and management procedure. In doing so they aim to determine whether the business is GDPR compliant.
From implementing new policies, educating staff on data protection, assigning responsibilities, to handling data requests, the responsibilities bestowed on DPO’s is endless. Without them, businesses are at risk of paying fines of 4% of global turnover, or €20 million, whichever is greater.
DPOs do not need to be legally qualified but they must have demonstrable expertise, including expert knowledge of data protection law and practices, as well as an understanding of an organization’s technical structure and IT infrastructure. They need to know what is happening within the business culturally and understand where the risk presides from start to finish. A technical knowledge is not imperative and will only help support processes, it’s the DPO’s understanding of the issues which will cultivate success.
What happens next?
Plans, strategies, and processes should be in place at the very beginning, not just when a security breach occurs. Businesses must, therefore, move away from reactive behavior and get into the habit of being more proactive when dealing with data.
GDPR should force businesses to act but we will have to wait a year or two to see if GDPR’s implementation has had a positive impact on business security. If the impact is positive, more organizations will begin to enforce having a DPO and ultimately there will be a rising demand from businesses in all sectors to employ a DPO.