Join David Booth for an in-depth discussion in this video Appointing a data protection officer (DPO), part of GDPR for Marketers.
- [Instructor] There's a lot to the GDPR and a lot of things to be aware of and comply with. And with severe punishments for not following the rules, you may be feeling a little nervous especially if you don't have the time or resources to devote to all of this. The reality is that wherever you sit on the readiness spectrum, you'll need to understand the requirements of GDPR, take on the projects and initiatives to achieve compliance, and monitor things to maintain that compliance from here on out. And the concept of a data protection officer or a DPO may help.
The first to note is that for some organizations, no matter how big or how small, it may be mandatory for you to have a DPO. But before you start putting together a job description, it's equally important to know that some organizations will not be required to fill this role. Let's talk about the three main scenarios where you'll absolutely need to have a DPO inside your organization. First, if any processing of data is carried out by a public authority, you'll need a DPO.
Second, if the core activities of your organization consist of regular and systematic processing of personal data on a large scale, you'll also need a DPO. And last, if the core activities of your organization consist of large scale processing of the sensitive types of data we discussed earlier or data relating to any criminal convictions or offenses, then you'll need a DPO. Now parts of that criteria set are equally specific and vague. And you'll need to decide what terms like regular and systematic, core activities, and large scale mean to you and your organization.
If you do decide that you need or if you come to the conclusion that it's a good idea to have a DPO, then it's important to know what kind of a person should be filling this role and the GDPR provides some specificity here. Article 38 outlines the role of a DPO and there are a few key points. First, a DPO can have other tasks and duties not related to data protection which is widely interpreted as a freedom to appoint an existing member of your organization to this role so long as there's no conflict of interest and the responsibilities and other criteria can still be met.
A DPO is also protected and cannot be influenced, fired, or penalized for doing the job they're supposed to do. And they need to report directly into the highest level of management inside the organization. They must also be empowered. A DPO needs to be included in any activity in which data protection is a factor, and they have to be supplied with the resources needed to perform their job. So what is that job exactly? Well, that's what article 39 addresses. And again, there are some key points to consider.
A DPO's responsibilities includes informing and advising an organization and its employees as to the GDPR, and the monitoring and maintaining of compliance. This includes training and educating staff, performing data protection impact assessments, and making sure auditing tasks are being done. A DPO also needs to cooperate with and serve as the contact point between the organization and its supervisory authority. And has to be available to data subjects for anything relating to the processing of their personal data or their rights.
Whether or not you need or want a DPO is a decision that every organization will need to make for themselves. But knowing when one is required and what a DPO does is a good first step towards making that decision.
- Define “personal data.”
- Name three data subject rights provided by GDPR.
- Recall the steps that need to be taken to comply with GDPR.
- Explain “privacy by design.”
- Identify the responsibilities of a data protection officer.
- Recognize the steps required to audit your data and processes.