So, you’ve got a new job title and you’re getting stuck into the role as your company’s new Data Protection Officer. Maybe you volunteered yourself for the position or your boss thought you had the right qualities. However you came by this new title, the chances are, if you are reading this feature, you don’t have a background already as a data protection professional.
So, what is a Data Protection Officer (DPO), what does the role cover and how does the GDPR fit into all this?
GDPR and the Data Protection Act 1998 (DPA)
The GDPR came into force on 25th May 2018 and for some organisations now requires the creation of a new role for a DPO. This new role is in addition to the previous role of Data Controller that was required under The Data Protection Act 1998 (DPA).
The role of a Data Controller (under the DPA) was established as an individual (often a legal person) whose job was to oversee the manner in which data was processed within an organisation.
This differs from a Data Processor that is a third party or person that processes data on behalf of the controller. This can include collection, analysis and storage of data through to distribution, erasure and destruction of data.
The role of a Data Protection Officer is to oversee and implement an organisation’s data protection strategy and ensure compliance with requirements in law as well as those issued by industry specific bodies. For many organisation, this will be a new role that has been created specifically for the adoption and delivery of the new EU legislation on data protection, the GDPR.
The appointment of a DPO under GDPR is mandatory in organisations that:
- Are a public body.
- Engage in data processing operations on a large scale that require systematic and regular monitoring of data.
- Process personal data that falls into specific categories including health, religion, sexual orientation and race.
Some smaller organisations that previously had a Data Controller will have simply changed the job title to incorporate the provision for GDPR compliance; however, most companies will have supplemented their team with a new Data Protection Officer to enhance their data security team.
The GDPR is explicit in its provisions for the responsibilities and authorities pertaining to all roles in the protection of data in an organisation.
At the top level, a Data Controller still has the responsibility for the overall purpose and methods by which personal data is processed. Under GDPR, this means that a Data Controller must:
- Identify and report on the legal basis for the need to collect, store and process personal data.
- Identify and document the kind of personal data being collected, stored and processed as well as the process for doing so and with whom this information is being shared.
- Identify and put into policy the means by which consent for personal data is being collected, stored and processed. This should include the methods for withdrawing consent as well as fully auditable documentation on the methods for obtaining consent.
- Register with the Information Commissioner’s Office (ICO).
Data Protection Officers are the means by which this policy and strategy is implemented within an organisation. It is their duty to:
- Monitor and report on compliance with internal policies and external legislation.
- Provide advice to the organisation on how to comply with internal policies and external legislation.
- Analyse Data Protection Impact Assessments (DPIA) and provide feedback for improvements based on their findings.
- Be a point of contact for the ICO.
Details of both the Data Controller and Data Protection Officer must be recorded and kept updated with the ICO. Even if your company decides that their organisation does not meet the requirements for a DPO, you should still record this decision and keep this on file. This will ensure that you maintain compliance with the GDPR (Article 5 (2)).
The scope of the role of a Data Protection Officer is far-reaching and starting out can be a daunting prospect. Particularly when you consider that failing to comply with GDPR comes with some pretty hefty fines.
Crucially, the success of fulfilling the key criteria of this job function relies on an understanding of where and how personal data is currently being collected, stored and processed.
Software solutions like FileFacets can help identify data using sophisticated data discovery tools as well as help DPOs protect data privacy, mitigate risk and achieve compliance with GDPR. With so much at stake, it is important to get all the help you can in your new role.
Congratulations, by the way.