Outsourced Data Protection Officer (DPO)
The regulatory body has made it clear that over the long term, the appointment of a DPO may help businesses to reduce the risk of non-compliance with the GDPR. However, some organisations are compelled by the new legislation to appoint a DPO – these include situations where:
- The processing is conducted by a public authority or body
- The central and core activities of the processor concern the regular processing and monitoring of data subjects on a large scale (eg on-line behaviour tracking)
- The working party WP29 is currently clarifying what constitutes “large-scale”
- Data is processed that relates to special categories of data or criminal convictions and offences
What is a DPO?
Data Protection Officer: A person charged with protecting PII (personally identifiable information) and helping an organisation meet the GDPR compliance requirements.
DPOs may be internal or external, but the law requires them to have sufficient expert knowledge; clearly this will depend on the processing activities for which they are responsible.
According to Article 39 of the Regulation, the DPO is responsible for:
- Monitoring compliance with the regulation, providing information and advice and liaising with the supervisory authority (the ICO in UK)
- They must report to the highest level of management within the business
- They may have other roles as long as those do not give rise to conflicts of interest
- They must be able to operate independently and not be dismissed or penalised for performing their tasks
Your DPO must be involved in all areas and issues relating to the protection of personal data as specified by Article 38 of the GDPR.
- Involved at the earliest stage possible
- Controllers and processors must seek DPO advice on DPIAs
- DPO must be part of the pertinent working groups dealing with data processing
DPO Main Responsibilities
- Monitor compliance, assigning responsibilities, training
- Advise Controllers and/or Processors of their legal obligations
- Advise on Data Protection Impact Assessments (DPIA)
- Cooperate with the Supervisory Authority and act as their contact point for all issues relating to personal data (including breaches)
Please remember – data protection compliance remains the corporate responsibility of the Data Controller (your company) not of the DPO, so it is important that the advice and assistance you receive fully fits your requirements; this will include your company allocating sufficient time and resource to support your DPO.
VXPartners are qualified to handle the Data Protection Officer function on behalf of clients and can construct a compliance framework to fit individual business’s needs, ensuring they fulfil their obligations under GDPR.
To discuss your requirements and whether you should appoint a DPO please contact us now
Tel: 01225 683085