May 25, 2018, is a date with significant meaning if you’re a company that operates within the European Union or processes data that identifies EU citizens. That’s when the new General Data Protection Regulation (GDPR) goes into full effect.
So who at your company will be responsible for ongoing data protection efforts under this forthcoming regulation? Answer: the Data Protection Officer (DPO).
What, exactly, is a DPO?
Under the GDPR, all businesses that collect components of “data subject’s” personal private data of EU citizens the appointment of a DPO is highly recommended when a business’ core activities consist of processing data on a large scale or if the data is within a special classification of personal identifiable information (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, etc.). Core activities are defined as the key operations required to fulfill an organizations overall goal. Depending on the size of the organization, the DPO role may be filled by one individual, a combination of staff or even outsourced as a for-hire solution to qualified third parties.
What is the role of a DPO?
The DPO should stay well-informed on laws, regulations and practices surrounding the matter of data protection and communicate that knowledge to personnel performing data processing duties. They will monitor the organization’s ongoing compliance with GDPR, as well as internal data protection policies and procedures.
Other major responsibilities include awareness-raising and staff training, along with serving as point of contact to supervisory authorities, fielding requests from data subjects and functioning as adviser when the company conducts a Data Protection Impact Assessment, a process that identifies organizational risk and aids in its mitigation. He or she would report to senior management or the board of directors, and could not be penalized or terminated for performing tasks related to GDPR compliance.
Qualifications of a potential DPO
While the degree of experience and recommended credentials for a DPO are not precisely outlined by GDPR, organizations should demand a certain level of privacy and data protection expertise. Additionally, though not required to be a legal entity, the DPO needs to ensure that data protection rules are followed, which means the candidate should have a great understanding of GDPR and privacy laws within the EU. A strong technology background is also desired, as the DPO would work in conjunction with IT personnel to implement proper data classification, security, retention and disposal procedures.
In summary, a DPO will help your organization prepare for compliance with GDPR before and after the May 25 implementation date. Strong management and communication skills are a must, since they will be interfacing with internal and external personnel at varying levels, as well as comprehensive knowledge on information technologies and data protection standards.
For more information regarding GDPR, please visit the Schneider Downs website, as well as the ongoing Our Thoughts On articles being published by our Risk Advisory professionals. If you have any questions related to your organization’s assignment of a DPO, their responsibilities, or compliance with GDPR, please contact us.