What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation adopted by the EU on 27 April 2016 after four years in the works. The regulation aims to harmonise data protection for individuals within the EU by empowering citizens over their personal data.
The GDPR came into effect on 25 May 2018, when it replaced the former data protection directive of 1995. The driving force behind the conception of the GDPR was to give European citizens more control over their own personal data and to provide a common legal framework for businesses to operate; creating a single market that abides by the same data protection law.
As the GDPR is a directive which affects all EU member states, local governments do not need to pass any additional forms of legislation for it to take effect, however many EU countries have already begun to adopt the GDPR into local law.
Do You Need To Appoint A Data Protection Officer?
Under Article 37 (1) of the GDPR, there are three main scenarios where the appointment of a Data Protection Officer (DPO) by a controller or processor is mandatory:
- The processing is carried out by a public authority;
- The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale;
- The core activities of the controller or processor consist of processing on a large scale of sensitive data or data relating to criminal convictions or offences.
Organisations will need to consider whether any of these triggers are met, and if so a DPO must be appointed.
DPOs have certain protections under the GDPR which means that they cannot be dismissed unless they are failing to fulfil their role. It is also necessary for the DPO to have a direct reporting line into senior management, to be established as an independent role and not to have any conflict of interest with other activities that may be undertaken by the individual.
Organisations should carry out an assessment of whether they need a DPO and document that assessment. If a DPO has not been appointed then it will be important to ensure that an individual with the appropriate qualifications and expertise is appointed to comply with GDPR requirements. The nature and structure of the role will also need to be considered to ensure that it meets the independence obligations.
Who Can Be A Data Protection Officer?
- A DPO can be a staff member or an external party.
- A DPO can be a sole appointment or joint appointment.
What Professional Qualities Should A Data Protection Officer Have?
- Expertise in Data Protection Law.
- Understanding of the processing operations.
- Understanding of information technologies and data security.
- Knowledge of the business sector and the organisation.
- Ability to promote a data protection culture within the organisation.
- No conflict of interest with possible other tasks and duties.
What Are A Data Protection Officer's Tasks?
- Inform and advise of the obligations under GDPR.
- Monitor compliance with this regulation.
- Provide advice where requested as regards Date Protection Impact Assessments (DPIA) and monitor its performance.
- Co-operate with the local supervisory authority.
- Have due regard to the risk associated with processing activities.
Employers should note that any organisation is able to appoint a DPO, not just where it mandatory to do so. Article 29 Working Party Guidelines states
…we encourage the voluntary appointment of a Data Protection Officer…
It is important for employers to make sure that someone within their organisation or an external data protection advisor takes responsibility for data protection compliance and has the knowledge, support and authority to do so effectively. Regardless of whether or not the GDPR requires a DPO to be appointed, employers must ensure that they have sufficient staff and skills to discharge their obligations under the GDPR.