When your business processes personal data on a large scale, you are required to appoint a DPO (Data Protection Officer) as soon as the GDPR (General Data Protection Regulation) takes effect, which is from May 25 2018. But who is this officer? And what does he do?
The Data Protection Officer makes sure that all data protection regulations are met within the organization. For many organizations, the GDPR means it will be required to appoint a DPO. When you process (sensitive) personal data on a large scale, the appointment of this officer is mandatory. But what exactly is ‘processing on a large scale’?
There is a lot of uncertainty about ‘processing personal data on a large scale’. According to the Data Protection Authority the number of people involved (those whose personal data are being processed), the amount of data that is being processed and the duration of the data processing are the most important criteria for determining whether your business processes personal data on said large scale. An example could be a telephone provider that processes data about your personal Internet behaviour, or a bank that processes your customer data.
The European privacy supervisors expect a standard for ‘processing on a large scale’ will eventually emerge. This will make it easier to determine whether your business is included in the large scale processing and if you have to appoint a DPO. When you know whether or not you have to appoint a DPO, any data processor you hire will have to do the same, because they are processing your data.
Some important tasks of the Data Protection Officer:
The Data Protection Officer may be a staff member or an external advisor. There is no certification or training to become a Data Protection Officer. It is important that the DPO is able to work independently from an organization. A conflict of interests must be avoided at all times. This means a Member of the Board cannot be a Data Protection Officer for that same organization.
When you appoint a DPO, you have to provide their contact details. Internally, within the organization, but also externally, for example with clients. This could be done by means of a contact form on the company’s website, addressed specifically to the DPO. The contact details of this officer also have to be shared with the Data Protection Authority by using the registration form designed for that purpose. The aim is that parties concerned and supervisors can contact the DPO in an easy and confidential manner.
Whether or not you should appoint a DPO is rather a complex matter. When it is uncertain if you have to appoint a DPO, the Data Protection Authority states that you have to be able to substantiate either choice. Do you have any questions about our Data Protection Officer? Or about the GDPR in general? Please feel free to contact us. We can help you safeguard the GDPR.