What is a DPO?
The General Data Protection Regulation (GDPR) makes it compulsory for some organisations to appoint a data protection officer (DPO), an expert in data protection law and practice. Effective from 25th May 2018, the GDPR calls for potential fines of up to 4% of worldwide annual turnover (or €20,000,000) in case of non compliances.
Does the GDPR mean that I must appoint a data protection officer (DPO)?
The GDPR specifies that the following types of organisation must appoint a DPO:
- Public authorities, except for courts acting in their judicial capacity
- Organisations whose core operations require regular and systematic monitoring of individuals on a large scale
- Organisations whose core activities consist of processing special categories of personal data (special categories include data revealing ethnic origin, political opinions or philosophical beliefs, or trade union membership, data concerning health, or data concerning an individual’s sex life or orientation).
Why do I need a DPO?
Under Article 37 of the GDPR, there are three main scenarios where the appointment of a DPO by a controller or processor is mandatory:
- The processing is carried out by a public authority
- The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale
- The core activities of the controller or processor consist of processing on a large scale of sensitive data (Article 9) or data relating to criminal convictions / offences (Article 10)
Who can be a DPO?
DPO is the data protection focal point in the organization and he/she should possess expert knowledge on data protection laws and practices. They should have adequate experience in the data privacy domain and should understand the business of the organization. They should hold professional experience at managerial level in cyber security, risk compliance or IT department.
Where should / can the DPO be based?
The DPO can either be in-house or out-sourced, the smaller companies do not need a full-time DPO, they can out-source the role to a qualified market party based on a service contract. The location does not matter for a DPO. He / She can be based out of any geography.
When would I need a DPO?
Appointing a DPO in an organization dealing with personal data is a legal requirement not just under the GDPR but other legislations as well. Not complying with the GDPR after May 25th, 2018, would bring huge penalties to the organization.
What can I do if I cannot find a DPO for my organisation?
The GDPR allows organisations to outsource the role of DPO to a third-party service provider. It also recognises that many organisations will not need a full time DPO; the role may be filled on a part-time basis.
How to get DPO services?
If at any time, you choose to outsource / contract out your DPO with us,
- You pay for a minimum of one hour per month
- Our name is registered with the SA as your DPO
- Your hour per month can be used as you wish
- Additional hours can be purchased if required
What will a DPO for my Organization do?
- Work with the board and senior management on the organisation’s privacy framework
- Inform and advise the organisation about its obligations to comply with the GDPR, the UK Data Protection Act 2018 , NIA, Indian Data Protection Bill (pending), and other data protection laws
- Assist with Subject Access Requests, requests to be forgotten and the other rights of the data subject
- Provide advice and guidance on data protection issues
- Monitor compliance with the GDPR, the UKDPA 2018, NIA and other data protection laws
- Draft policies and processes
- Manage internal data protection activities
- Advise on data protection impact assessments
- Train staff
- Conduct internal audits
- Be the first point of contact for the supervisory authority
- Be the first point of contact for individuals whose data is processed (employees, customers etc)
What do we have to do to support the DPO?
You must ensure that:
- The DPO is involved, closely and in a timely manner, in all data protection matters
- The DPO reports to the highest management level of your organisation, i.e. Board level
- The DPO operates independently and is not dismissed or penalised for performing their tasks
- You provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their GDPR obligations, and to maintain their expert level of knowledge
- You give the DPO appropriate access to personal data and processing activities
- You give the DPO appropriate access to other services within your organisation so that they can receive essential support, input or information
- You seek the advice of your DPO when carrying out a DPIA
- You record the details of your DPO as part of your records of processing activities
What details do we have to publish about the DPO?
The GDPR requires you to:
- Publish the contact details of your DPO
- Provide them to the ICO
- This is to enable individuals, your employees and the ICO to contact the DPO as needed. You aren’t required to include the name of the DPO when publishing their contact details but you can choose to provide this if you think it’s necessary or helpful
- You’re also required to provide your DPO’s contact details in the following circumstances:
- When consulting the ICO under Article 36 about a DPIA
- When providing privacy information to individuals under Articles 13 and 14
How much is it going to cost me?
Depending on the size and the nature of your business, a full time DPO can be very expensive. However, you have options to hire a part time DPO, or outsource / contract out the services of the DPO.
How can we help?
Having a DPO is one of the key ways of demonstrating compliance with the GDPR and the UK Data Protection Act 2018. At we PV, we provide you best industry resources who can serve the role of Data Protection Officer (DPO) as a service for your organisation. You could require a DPO due to the mandatory requirements or you may wish to appoint one to demonstrate compliance to the applicable privacy law, your data subjects and your business partners as a visible part of your compliance framework.