Significant steps must be taken to ensure your organisation achieves and maintains compliance with the GDPR. There are operational implications to consider and many practical issues to address as part of the process. One of the most important ones is deciding whether or not your organisation needs a Data Protection Officer.
GDPR makes the appointment of a DPO mandatory for organisations whose core activities involve the “regular and systematic monitoring of data subjects on a large scale” and those that conduct large scale processing of “special categories of personal data” [designation of DPO – Article 37; “Special Categories” outlined in Article 9]. Based on these stipulations, many organisations fall outside the general mandatory designation requirement but domestic regulators are free to extend it so in many EU countries the threshold is wider; in Croatia and Germany, for example, an exemption will apply to only a very limited number of organisations. DPO appointments can also be made on a voluntary basis; it’s important to note that a voluntary designation is subject to the same strict requirements under GDPR as a mandatory one.
While the Data Protection function is likely to exist within your organisation at the moment, GDPR imposes much stricter conditions so if you decide you must or should appoint a DPO, designating the role to somebody as a tack-on to their day job is probably not a good idea.
Whether it’s a mandatory or voluntary designation, there’s no question it’s a significant investment and a major part of your GDPR preparations and the process of recruiting or training a suitable individual should begin tas soon as possible; not least because the skills and expertise they bring can be used to guide you through your GDPR preparations.
The DPO must be “designated on the basis of professional qualities” [Article 37.5]. They must have:
[Article 39 sets out the minimum tasks of the DPO]
The DPO must at least:
GDPR expressly says that a DPO can be an employee or a contracted service [Article 37.6].
If you opt for a staff member (existing or new hire), the designated person can be full or part-time, it can be a team or one person in a single or dual role.
On the other hand, you might determine that appointing an external contractor is the better option for your organisation.
The important thing is that you should be satisfied that the appointee can carry out their role effectively and that should they have another role it does not conflict or otherwise interfere with their DPO tasks.
… there you have it. To appoint or not to appoint and, if so, who will it be? There are many things to consider in the decision process, the most significant of which is that the that the DPO is a regulated function – a failure of which could lead to a breach of the GDPR and as such to a significant financial sanction. Make sure you take the time to consider all of your options to ensure that you make the best possible decision for your organisation’s particular needs.
By: Fiona Kiely
Published: August 2017
Modified: January 2018
To learn how CalQRisk can help your organisation in fulfilling its GDPR obligations, contact us today.