In today’s episode of Countdown to General Data Protection Regulation (GDRP), Jonathan Armstrong, a partner at Cordery Compliance Ltd in London, and myself consider the role of the Data Protection Officer (DPO) in complying with the new regulations which go live on May 25, 2018. The Cordery Compliance FAQs note that DPO must be appointed to deal with data protection compliance where:
- The core activities of the data controller or the processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or,
- The core activities of the data controller or the processor consist of processing on a large scale of special categories of personal data, namely those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and, the processing of genetic and biometric data in order to uniquely identify a person, or data concerning health or sex life and sexual orientation (which can only be processed under certain strict conditions such as where consent has been given), or, data relating to criminal convictions and offences.
The DPO must be suitably qualified and is mandated with a number of tasks, including advising on data-processing, and, must be independent in the performance of their tasks – they will report directly to the highest level of management. Businesses will therefore have to determine whether a DPO must be appointed or not, but, given the significance of privacy compliance today, even if technically-speaking a DPO is not required to be appointed, a business of a particular size that regularly processes data may wish to consider appointing one in any event.
The role of the DPO is critical in complying with GDPR. The time to start is now. For more information, visit the Cordery GDPR Navigator, which provides a wealth of information to utilize in your data privacy compliance program. Finally, Jonathan Armstrong will be in Houston on April 10, 2018 to put on a 3-hour workshop on GDPR. The event will be held at the South Texas College of Law, from 9-12 AM. You can find out more information on the event and register by going to the GHBER.org site.