In the May of 2018, the General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec as the primary law regulating how companies protect EU citizens’ personal data.
Organisations which fail to adhere to the GDPR’s data compliance rules will receive fines of 4 per cent of the business’ worldwide turnover, or €20 million, depending on which amount is greater. And, under GDPR, the Data Protection Authority (DPA) must be informed of data breaches within 72 hours of that breach being detected.
The Data Protection Officer
A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
Failure to appoint a DPO where required will run the risk of receiving a fine of €10 million euros or 2 per cent of the organisation’s worldwide turnover (depending on which amount is higher).
Companies will need a Data Protection Officer in the following cases:
- The processing (of personal data) is done by public authorities or a public body, with an exception for courts and independent judicial authorities;
- The processing is done by processors who regularly and systematically observe ‘data subjects’ (EU residents) on a large scale;
- The processing involves specific ‘special’ data categories (which are defined in the GDPR), again on a large scale, as processing these special types of personal data is part of the core business.
Data Protection Officer Responsibilities and Requirements
As outlined in the GDPR Article 39, the DPO’s responsibilities include, but are not limited to, the following:
- Inform and advise the organization and staff who process personal data of their obligations, as per the Regulation and other EU or local data protection provisions;
- Monitor compliance with the Regulation, with other EU or local data protection provisions and with the data protection policies of the organization, including the assignment of responsibilities, awareness-raising and training of the staff involved in the processing operations, and the related audits;
- Provide advice, where requested, on data protection impact assessment and monitor its performance;
- Cooperate with the supervisory authority and act as the organization’s contact point on issues related to the processing of personal data, including the prior consultation;
- Respond to individuals whose data is processed (employees, clients and similar) on all issues related to the processing of their data and the exercise of their rights under the Regulation.
Data Protection Officer Skills and Qualifications
The GDPR does not specify the precise credentials a DPO is expected to have. As clarification, the WP29 in its published guidelines defines certain minimum requirements regarding the expertise and skills of the DPO.
Level of expertise – The Regulation sets out certain skills that a DPO should possess, starting with the “expert knowledge of data protection law” and an ability to inform and advise senior management, conduct privacy impact assessments, advise on risk assessments, and a range of other “soft” and “hard” skills, including an understanding of the relevant technologies used in the activities of the organisation, and their capabilities.
Professional qualities – DPOs do not have to be lawyers, but must have expertise in national and European data protection law, including an in-depth knowledge of the GDPR. From a practical perspective, DPOs must have a reasonable understanding of the organisation’s technical and organisational structure and be familiar with information technologies and data security.
The DPO is bound to confidentiality in carrying out his or her tasks. Above all the DPO needs to be assertive and authoritative. The organisation needs to sit up and act when the DPO requires action.
To help ensure that DPOs are autonomous and independent, DPOs are protected under the GDPR from unfair dismissal / termination for reasons relating to their performance of the DPO role. A DPO who is an employee of the business may also benefit from the protections afforded by local employment law in some EU Member States, making it difficult for businesses to remove DPOs from their roles.