GDPR is coming in less than a month – should you appoint a DPO?

With the constant discussion currently around the impending General Data Protection Regulation (GDPR), the role of a data protection officer (DPO) or data compliance officer (DCO) has never been so much in the public eye than lately. With the imminent implementation date, firms need to act fast and assess their possible requirement for a DPO. At a recent financial services seminar, 48% of attendees indicated that they had allocated this responsibility within their firm. In fact, it is predicted that 28,000 additional DPOs will be required by organisations to achieve GDPR compliance by 25 May 2018.

What is a DPO?

A DPO is a significant position within an organisation, responsible for overseeing data protection strategy and implementation to ensure compliance with the new GDPR requirements by 25 May 2018.

Does your organisation need a DPO?

A DPO will be a requirement for organisations under GDPR if they process or store large amounts of personal data, whether for employees, individuals external to the organisation, or both. DPOs must be appointed where the core activities of the controller or processor involve regular and systematic monitoring of data subjects on a large scale, or where the entity conducts large scale processing of special categories of personal data.

What are the responsibilities of a DPO?

Some of the responsibilities of a DPO include educating the organisation and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the organisation and any supervisory authorities that oversee activities related to data.

What if your organisation falls outside the scope of having a DPO?

If your organisation falls outside of the scope to have a mandatory DPO, there is still a requirement under the new regulation for you to have a data compliance officer. A DCO is best defined as an individual designated with the role of ensuring compliance with any regulatory requirements and is known to be the point of contact across the organisation who will be expected to handle any events that materialise in respect of data protection.

What should you be doing now?

If you haven’t done so, you need to assess if your organisation is required to have a data protection officer (DPO). If not, have you designated the responsibility of data protection to an individual within the organisation? 33% of financial services firms in a recent poll highlighted that they were not at all prepared for GDPR. Firms should consider the following top areas to ensure they are fully compliant with GDPR:
  • Personal information
Are you fully aware of what personal information you hold and where within your organisation this information is maintained and managed?
  • Privacy policy
Have you addressed how you are going to communicate your data privacy procedures to your external stakeholders? Has your privacy policy been reviewed to ensure this is going to be compliant under GDPR?
  • Lawful basis for processing
Have you considered your lawful basis for processing the information you have? Have you determined your lawful basis before you begin processing and are you documenting it?
  • Consent
Have your contacts expressed explicit consent to process their data? For example, have they approved to receive communications? Have you made it easy for people to manage mailing preferences? Are you recording the opt-ins obtained so you have a record of these?
  • Data controller and data processor
Do you use third parties to process information on your behalf? If so, have you considered the data controller and data processor requirements under GDPR?
  • Data breach
What is your organisation's policy for reacting to a data breach? Will this policy be able to meet the new data breach reporting deadlines set under GDPR? Is everyone aware of the data breach policy throughout the organisation?

Act now to be on track to GDPR compliance

Answering such questions and complying with the GDPR is no small job. Your organisation needs to be on track to GDPR compliance now, or you may risk a regulatory breach and a potentially large financial penalty.

We can help you tackle GDPR compliance before time runs out. Please contact Chris Beveridge if you are in need of urgent assistance for the new data protection rules. We would welcome the opportunity to meet and help you successfully prepare for GDPR.

Leave a comment

 Security code