When the General Data Protection Regulation (GDPR) comes into force, on 25 May 2018, there will be a requirement for businesses and organizations that deal with mass people monitoring, or large amounts of sensitive personal data, to appoint a data protection officer (DPO). This appointment can be internal or external.
There is no requirement for the DPO to be qualified, but they do need to have a significant amount of data protection experience, in order for them to be able to carry out their role effectively.
What is the role of a DPO?
There are several responsibilities that are associated with being a DPO.
- To keep the business or organization informed about its compliance with the GDPR, and advise about any issues.
- To monitor the level of compliance with all international data protection laws, including GDPR.
- To advise on all aspects of GDPR, and provide training where applicable.
- To liaise with the supervisory authority concerning all aspects of data protection and compliance.
What must the employer do?
Having looked at the role of the DPO, let’s examine what the employer has to do.
- Ensure that DPOs report directly to the board of the business or organization.
- Ensure that the DPO is independent and has the ability to make decisions, without fear of reprisals, at all times.
- Ensure that the DPO has enough resources to carry out their role effectively.
The responsibilities of both employers and DPOs are pivotal in ensuring that businesses comply with GDPR when it is introduced.