In May 2018, businesses and retailers based in the European Union (EU), have customers that reside in the EU, and handle the personal data of EU citizens, will have to comply with new data protection regulations: the GDPR (General Data Protection Regulation), writes Steve Inglessis, Commercial Director at DataRaze, a data destruction company.
GDPR represents the most significant change in data privacy regulation in 20 years. Organisations which fail to adhere to the GDPR’s data compliance rules will receive fines of 4pc of the business’ worldwide turnover,or 20 million euros, depending on which amount is greater. And, under GDPR, the Data Protection Authority (DPA) must be informed of data breaches within 72 hours of that breach being detected.
As a result, the GDPR mandates that all public sector organisations and many private sector organisations designate a Data Protection Officer (DPO) who will take ownership of data management and ensuring the organisation’s compliance with the GDPR. Under Article 37 of the GDPR, DPOs are only mandatory where an organisation’s core activities consist of:
Data processing operations which require regular and systematic monitoring of data subjects on a large scale or monitoring of individuals;
Processing a large scale of special categories of data (i.e. sensitive data such as health, religion, race, sexual orientation etc); and
Data processing being carried out by a public authority or body processing personal data, except for courts operating in their judicial capacity.
Failure to appoint a DPO where required will run the risk of receiving a fine of ten million euros or 2pc of the organisation’s worldwide turnover (depending on which amount is higher).
Role
Appointed on the basis of ‘professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39’ (stated by Article 37), the DPO is a designated individual within an organisation who is responsible for overseeing and ensuring that organisation’s complete compliance with data regulations – including both the Data Protection Act and GDPR.
DPOs ultimately manage, monitor and assess an organisation’s data processing and management to determine whether the business is GDPR compliant. Furthermore, the DPO devises the data protection policies and procedures that bring an organisation into compliance with GDPR regulations, including implementing new policies, educating staff on data protection, assigning responsibilities, and handling data requests.
To help DPOs in conducting their activities, they can:
Request company resources to fulfil their job functions,
Access the company’s data processing personnel and operations – as their job performance is highly dependent on these factors,
Operate with a level of independence from the employer – and cannot be penalised or dismissed for performing their tasks,
Report directly to the highest management level of the company (the board, trustees, CEOs, founders) and the company is legally obliged to give them the support they need.
Also, the DPO devises the policies and procedures that bring the organisation into compliance with regulation, monitors the implementation of those policies, ensures the professional development of staff in regards to data protection, assigns responsibilities and handles requests for data from the organisation. Lastly, the DPO must ‘inform and advise the controller or the processor of their obligations’ as well as ‘document this activity and the responses received’ and be involved with all issues, scenarios and occurrences related to the protection of personal data. The GDPR sets out theminimum tasks a DPO must take, which are:
Informing and advising their colleagues of their data protection obligations
Monitoring compliance with the GDPR and the organisation’s data protection policies
Providing advice regarding Privacy Impact Assessments
Co-operating with the relevant supervisory authority; and
Acting as a contact point for the supervisory authority on data processing issues.
It is important to note that while DPOs do not need to be legally qualified, they must have demonstrable expertise, including expert knowledge of data protection law and practices, as well as an understanding of an organisation’stechnical structure and IT infrastructure.
What is your next step?
Consider that 95 percent of all security incidents involve human error, organisations should be investigating the recruitment of a DPO now. The longer they delay, the greater risk they are placing upon their business. Some may think that this EU directive doesn’t matter in the wake of Brexit – but this is false. GDPR will be introduced irrespective of Brexit or when Article 50 is invoked. A failure to act now could result in businesses sleepwalking into large financial penalties and reputational damage.
