Data Protection Officer (DPO) | A Wirehouse GDPR Guide
Date: 14th February 2018 | Categories: Employment law, GDPR
The new GDPR legislation dictates that organisations that fall within the 3 categories below, should have a Data Protection Officer (DPO) in place by 25th May and on a continual basis thereafter. If you fall into one of the categories then it is mandatory to appoint a DPO, even if these categories don’t apply to your business it may still benefit you to have a DPO in place to oversee general compliance of GDPR within the organisation.
- Public Authorities (except for courts acting in their judicial capacity);
- Organisations who carry out large scale systematic monitoring of individuals (for example, online behaviour tracking, CCTV recording); or
- Organisations that carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
Who Should be Appointed as DPO?
That’s a decision for each organisation themselves. You may decide that your processing activities are of such a level that you need to recruit someone new for a full or part time position. Alternatively, you may decide to recruit internally and add to an existing employee’s job description. If you are doing this, just be mindful to afford them sufficient time off from their normal duties to undertake this additional workload.
You should also be mindful not to impose this duty on an employee; try to follow an internal recruitment process or a consultation process to change terms and conditions of employment. It’s always best to give the duties to someone willing and enthusiastic to do it to make sure it’s done correctly. It should also be someone you can trust (bound by confidentiality), someone who has access to communicate with higher management and be accessible to all data subjects.
Don’t forget to update the employee’s job description if they are going to be your organisation’s assigned Data Protection Officer.
The Role of a Data Protection Officer
Their main tasks will involve:
- Informing and advising on GDPR legislation.
- Monitoring compliance within the organisation.
- Provide advice on data protection impact assessments.
- Cooperate and liaise with the supervisory authority, the ICO (Information Commissioner’s Office)
- Be a point of contact for data subjects.
It’s important not to expect an ‘all round’ service from the DPO. They can advise on GDPR compliance but they are going to need support from various other roles such as:
- IT specialists for advice on security measures to implement.
- Legal team / advice – for help when observing compliance with legal documentation such as privacy notices, contractual clause etc.
- Asset owners – whoever ‘owns’ the personal data needs to take responsibility for their area (i.e. Finance Director of the payroll data or customer financial information etc.) – it is only for the DPO to help advise on Risk Assessments and oversee compliance, rather than undertake the Risk Assessments and implement the measures for them.
- Stakeholders on board – make sure all higher management and in particular, an ‘accountable Director’ understands GDPR and is willing to listen to and support the DPO.
Remember that monitoring of GDPR is an ongoing task and not something that will cease when you have undertaken your initial steps in becoming compliant. The DPO will need to undertake regular reviews of compliance as well as be there for advice when a breach occurs, interpretation of policies, assistance with data subject access requests, assistance with Risk Assessments of any new personal data processing projects being introduced etc.
Protection of the DPO
A DPO is protected in Employment Law. Therefore you need to be mindful of this, particularly if trying to rely on the ‘2 year rule’ of dismissing someone in their probation or their first 2 years’ of employment when they generally can’t claim unfair dismissal save for a few exceptions. For example; if a DPO reports a breach of GDPR in the organisation to you and you ask them to keep it quiet but they inform the ICO (supervisory authority) against your wishes, you can’t then dismiss them or treat them detrimentally because of this, as they are regarded as a ‘whistle blower’ and afforded such protection in law.
Wirehouse now have a GDPR Service in place, as the new regulations cover more than just your employee personal data and in most cases, is outside the remit of HR and Employment Law. For more information about this new service that we provide, please contact our GDPR Practitioner Joanne Kay for an outline of the services and costs.