The General Data Protection Regulation ("GDPR") will come into effect on 25 May 2018. It will introduce a number of significant changes for managing data. Central to the operation of the new regime will be the role of the Data Protection Officer ("DPO"). We look at the key considerations for employers who are required to recruit a DPO.
When does an organisation need to appoint a DPO?
An organisation will have to appoint a DPO where its core activities involve processing operations which:
require regular and systematic monitoring of data subjects on a large scale; or require large scale monitoring of special categories of data or data connected to criminal convictions and offences. In addition, all public authorities and bodies must appoint a DPO. The Article 29 Working Party, the collective group of data protection authorities in Europe, has adopted a guidance which will assist organisations in determining if they fall within these categories.
What are the functions of a DPO?
The functions of the DPO will include the following:
involvement in all issues relating to the protection of personal data within the organisation; monitoring compliance with the GDPR; advising the employer on carrying out data protection impact assessments as required by the GDPR; informing and advising the organisation and its employees/personnel who carry out data processing of their obligations under the GDPR and any relevant national data protection provisions; co-operating with the relevant data protection authority, where necessary; acting as the contact point for the relevant data protection authority on issues relating to processing; acting as the contact point for data subjects of the employer in relation to all issues regarding the processing of their personal data and to the exercise of their rights under the GDPR; and assisting with or maintaining records of processing operations under its responsibility and/or categories of processing operations carried out by its employer. Recruitment of a DPO
There is little guidance available in relation to the level of expertise or professional qualifications that a DPO is required to have. It is stated, however, that the candidate's level of expertise should be proportionate and appropriate to the data processing operations being carried out by the employer and the level of sensitivity of the data being processed by it.
In addition, DPOs must have expertise in national and European data protection laws...