Under the new General Data Protection Regulation (GDPR) which come into force on 25 May 2018, it is mandatory for certain businesses to appoint a Data Protection Officer (DPO).
When must a DPO be appointed?
You must appoint a DPO if you are a public authority or:
- Carry out monitoring of individuals; or
- Carry out processing of special categories of data (i.e. race, religion, health) or data relating to criminal convictions and offences.
The activities must be on a large scale and a core activity of the business.
Must a business be a certain size to need to appoint a DPO?
No, if you fall into one of the above categories, you must appoint a DPO. There are no minimum size requirements for a DPO to be necessary.
Who can be a DPO?
A DPO can be a new employee or an existing employee who also undertakes another role within the business. There must be no conflict of interest if the employee has a dual role.
Can a DPO be external to the business?
Yes, a DPO role can be externally contracted out.
What does a DPO do?
DPO duties include:
- Advising the business (and staff members) of their obligations to comply with data protections laws (including the GDPR);
- Monitoring compliance with data protection laws (including the GDPR);
- Is the first point of contact for individuals whose data the business processes and supervisory authorities.
I don’t think I need a DPO, but I what are the implications?
Although a DPO may not be mandatory, you are still able to appoint one. If you feel that you do not need to appoint a DPO under the GDPR, you must ensure that you and your employees are able to comply with all aspects of the GDPR.
What are the risks of non-compliance?
If you do not appoint a DPO where it is necessary to do so, your business may face fines of up to the higher of €10,000,000 or 2% of your worldwide turnover.
You're on our blog and updates site, which is hosted by Markel Law Hub a leading digital hub powered by the award-winning lawyers at Markel Law, bringing you real law, made easy.
Find out more about Markel Law Hub here.
The GDPR makes it a requirement that organisations appoint a data protection officer (DPO) in some circumstances.