Data Protection Officer: Mandatory for Your Company?
Data / Technology / IP
When the General Data Protection Regulation (GDPR) comes into force in May 2018, many companies will be obliged to have appointed a Data Protection Officer.
A Data Protection Officer is a position or role within an organisation. The Data Protection Officer oversees the processing of personal and privacy-sensitive information. When the General Data Protection Regulation (GDPR) comes into force in May 2018, many companies will be obliged to have appointed a Data Protection Officer.
What does a Data Protection Officer do?
The Data Protection Officer’s tasks include advising organisations on how to comply with the General Data Protection Regulation, employee training, and conducting internal audits. The Data Protection Officer also acts as the contact person for the supervisory authority and for the individuals to whom the data relates.
Except for certain (small) companies, the Data Protection Officer will keep a register of all organisational processes that involve personal data processing. This register, which should also contain information about the purpose and conditions of the processes, may be made available to the supervisory authority.
What types of organisations are obliged to have a Data Protection Officer?
Public bodies processing personal data (except judicial institutions);
Organisations where systematic monitoring of individuals is part of the core business (e.g. activities such as Google, so-called ""behavioural advertising"", geolocation, tracking visitor behaviour, certain cases of direct marketing, ad tracking, personalised advertising, customer or patient profiles, insurance companies depending on the product, banks, in short, any activity that monitors behaviour);
Organisations where processing of specific data categories (e.g. health or religion) is part of the core business (e.g. hospitals, pharmaceutical companies, certain research institutes, laboratories, market research focused on sensitive data such as political preferences).
These conditions mean that companies processing personal data are not obliged to appoint Data Protection Officers if these processes are not part of their core business. In that case, the company must prove that these processes are not directly related to the organisation’s core business.
Who can be appointed as Data Protection Officer?
There are no specific requirements. The Officer should be an ""expert in the field of data protection legislation"". Therefore, the Officer should have extensive experience in the areas of privacy protection, data security, business processes, and be well-informed about the relevant aspects of the organisation.
The Data Protection Officer could be an existing employee, but there should not be a conflict of interest between the two roles of the employee. For example, a Data Controller cannot be appointed as a Data Protection Officer because he is already responsible for many data processing operations.
External Data Protection Officer
The new European legislation allows the appointment of outside professionals. This is an excellent solution for SMEs and organisations with little in-house knowledge about data security. This role can be fulfilled by a privacy lawyer.
How to prepare for the GDPR?
A lot depends on what is already in place at your company. You should at least:
Review existing privacy notices and existing contracts, in particular with data processors, and update them to comply with the GDPR.
Determine which data protection supervisory authority will be responsible for supervising your organisation’s compliance.
Ensure appropriate procedures are in place to detect, investigate and report data breaches.
Update any internally existing policies or procedures about what personal data is stored, where it came from and with whom it is shared, about individuals’ rights, about access requests (special rules for children).
Document data processing activities and identify the appropriate legal basis to carry out each type of data processing activity.
Review how consent of the individual person is sought, collected and recorded, and ensure that procedures comply with the new requirements of the GDPR.
Determine how you will implement Data Protection by Design and Data Protection Impact Assessment within your organisation.
Appoint a Data Protection Officer, if required, or someone to take responsibility for data protection compliance.
This article is based on a blog of Timelex, Belgium, our colleagues from our World IT Lawyers Network. Read article here.