Is your organization DPO ready?

Data Protection Officer

By now organizations will have heard about the new EU General Data Protection Regulation (GDPR) set to take effect on May 25th 2018. It is the largest piece of data protection legislation to be passed in the history of the EU (Irish times, 2017).

The fundamental objective of the regulation is to strengthen and reinforce the rights of the individual (data subject) and create a much needed harmonization of data protection law across the European single market. The new legislation will apply unilaterally across all EU member states and brings with it a major shift to the regulatory landscape. The introduction of this new EU data protection framework presents new challenges for business, making it imperative for organizations to act now and prepare accordingly to ensure compliance with the reform come May 2018.

GDPR imposes new, more rigorous obligations on organizations for the collection and processing of personal data and introduces new and improved rights for the individual. The introduction of the regulation reinforces Europe’s position on adopting an extremely protective approach to the processing and controlling of the personal data of its European citizens.

As mentioned above, the legislation stipulates a number of new protections. One of the major requirements outlined in the regulation is the mandatory appointment of a dedicated Data Protection Officer (DPO). 

The DPO role itself will be independent of the organization and they will be answerable to the Lead Authority (in Ireland that will be the Data Protection Commissioner) and are not subject to the company board of directors. The position can be appointed internally to a current staff member or the role can be contracted out to a third party service provider.

Who needs a DPO?

The question most organizations are asking is; does my business need a DPO?

In short, yes. The current view is that all organizations will need access to a DPO and their services, unless your business can prove that it does not. 

Article 37 of the reform specifies that the appointment of a DPO is required where;

  • You are a public authority or body processing and controlling personal data
  • Data controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale
  • The core activities of the controller or the processor consist of processing on a large scale of special categories of data

The introduction of the new GDPR and its significant sanctions for noncompliance signal Europe’s movement to lead the way in setting a global golden standard in data privacy and protection law. Protecting and safeguarding the personal data of data subjects is the main principle underpinning this major reform and will alter the regulatory landscape for all organizations.

The reform places greater accountability on data processors and controllers in the handling of EU citizen’s personal data. GDPR will not just affect businesses indigenous to the EU, non-European companies will have to comply with European Data Protection law if they operate within the European market.