What the ICO says –
“You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.”
What does this mean for your organisation –
It is very important that someone in your organisation, or an external data protection advisor (such as BMGUK Consultancy Ltd), is appointed to take proper responsibility for data protection compliance within your organisation.
A Data Protection Officer (DPO) is responsible for:
- Monitoring compliance with the regulations.
- Providing information, advice, and liaising with the supervisory authority such as the UK ICO.
- Reporting to the highest level of management within an organisation.
The DPO can have other roles within an organisation so long as this does not give rise to a conflict of interest. Also, a DPO must be able to operate independently and not be penalised or dismissed for doing their tasks.
Due to the significant role a DPO carries out under GDPR a DPO needs to have, amongst other things:
- The proper knowledge and training made available to them.
- Adequate support in terms of financial resources, infrastructure and staff where appropriate from the highest level in your organisation
- The authority to carry out the role effectively.
Not every organisation requires a formally appointed DPO but a DPO must be designated if you are:
- A public authority (except for courts acting in their judicial capacity)
- An organisation that carries out the regular and systematic monitoring of individuals on a large scale
- An organisation that carries out the large-scale processing of special categories of data, such as health records, or information about criminal convictions.
The role of the DPO under the GDPR is now more prevalent than under previous data protection act(s) and can be quite confusing in some circumstances. It is also a significantly more involved role within an organisation than previous, so a good recommendation would be to employ the services of a specialist to guide you through this phase of GDPR readiness.
The 12 Days of GDPR snippets are not designed as a guide to make your organisation GDPR compliant, they are just to whet your appetite to get you started. BMGUK Consultancy Ltd has one of the few certified EU GDPR Practitioners in the UK, so get in touch and I can assist your organisation to become GDPR compliant.
What is the GDPR? – It is the new evolution of data protection across the EU. On May 25th, 2018 the General Data Protection Regulation becomes enforceable so if your organisation processes personally identifiable information of any EU resident then you need to be prepared for the GDPR otherwise your organisation could face significant penalties.
From the largest multinational down to the smallest of sports clubs anywhere in the world, if your organisation offers goods or services, even free ones, to EU residents then it is highly likely that your organisation will be required to comply with the GDPR.
Whether your organisation is based in the UK or overseas, get in touch with BMGUK Consultancy Ltd for all your GDPR needs.