On 25 May 2018, the General Data Protection Regulation will come into effect. Unless you are a public body or your businesses core activity consists of regular and systematic monitoring of individuals or processing personal data on a large scale the GDPR does not specifically require you to appoint a DPO. However, it is highly encouraged by the European Article 29 Working Party (WP29) as a matter of good practice and to demonstrate compliance. Taking this into account, we look at the main tasks and mission of a data protection officer, should your organisation decide to appoint one.
A data protection officer’s primary goal will be to assist during the implementation project for the GDPR. They will have to give advice, information and recommendations when necessary.
The data protection officer needs to eat, sleep and breathe data protection, and be aware of risks at all times. The Regulation sets out the main tasks of the DPO, which include:
- Inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- Monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- Provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- Cooperate with the supervisory authority
- Act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
Even though a data protection officer can perform other tasks, they have to be involved in all issues related to personal data protection. Ensure that the DPO exercises their functions independently and reports to the highest level of management e.g. can’t be an IT or Information Security Director
Have you decided to appoint a data protection officer? Get your prospective DPO up to speed with our five-day certified EU GDPR Foundation & Practitioner course.