May 25, 2018, is a date with significant meaning if you’re a company that operates within the European Union or processes data that identifies EU citizens. That’s when the new General Data Protection Regulation (GDPR) goes into full effect.
So who at your company will be responsible for ongoing data protection efforts under this forthcoming regulation? Answer: the Data Protection Officer (DPO).
What, exactly, is a DPO?
Under the GDPR, all businesses that collect components of “data subject’s” personal private data of EU citizens the appointment of a DPO is highly recommended when a business’ core activities consist of processing data on a large scale or if the data is within a special classification of personal identifiable information (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, etc.). Core activities are defined as the key operations required to fulfill an organizations overall goal. Depending on the size of the organization, the DPO role may be filled by one individual, a combination of staff or even outsourced as a for-hire solution to qualified third parties.
What is the role of a DPO?
The DPO should stay well-informed on laws, regulations and practices surrounding the matter of data protection and communicate that knowledge to personnel performing data processing duties. They will monitor the organization’s ongoing compliance with GDPR, as well as internal data protection policies and procedures.
Other major responsibilities include awareness-raising and staff training, along with serving as point of contact to supervisory authorities, fielding requests from data subjects and functioning as adviser when the company conducts a Data Protection Impact Assessment, a process that identifies organizational risk and aids in its mitigation. He or she would report to senior management or the board of directors, and could not be penalized or terminated for performing tasks related to GDPR compliance.
Qualifications of a potential DPO
While the degree of experience and recommended credentials for a DPO are not precisely outlined by GDPR, organizations should demand a certain level of privacy and data protection expertise. Additionally, though not required to be a legal entity, the DPO needs to ensure that data protection rules are followed, which means the candidate should have a great understanding of GDPR and privacy laws within the EU. A strong technology background is also desired, as the DPO would work in conjunction with IT personnel to implement proper data classification, security, retention and disposal procedures.
In summary, a DPO will help your organization prepare for compliance with GDPR before and after the May 25 implementation date. Strong management and communication skills are a must, since they will be interfacing with internal and external personnel at varying levels, as well as comprehensive knowledge on information technologies and data protection standards.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.