Data Privacy Consultancy

The General Data Protection Regulation (GDPR) has made it obligatory for all public authority or bodies to appoint a Data Protection Officer (DPO) or Privacy Expert. A DPO or Privacy Expert is also essential for organisations that carry out certain types of sensitive data processing activities.

The main role of a DPO or Privacy Expert is to assist an organisation through their expert advice on privacy protection and data compliance with the law. A DPO or Privacy Expert informs the organisation and takes the necessary as an internal watchdog to ensure compliance with all the privacy and data protection mechanisms of the organisation.

The DPO or Privacy Expert is also responsible for conducting a Data Protection Impact Assessment (DPIA) for the firm whenever a new project or task begins for the first time. This takes into account the potential threats and helps in mitigating the key risks. According to the GDPR law, the DPO or Privacy Expert must be an independent expert who takes on the role of ensuring that an organization is compliant with data privacy regulation.

The requirements for a good DPO or Privacy Expert include: the person should be adequately resourced and report to the highest management level as issues arise. The General Data Protection Regulation (GDPR) allows an existing employee or externally appointed person to be given this role. Sometimes organisations may share a DPO or Privacy Expert as well. A DPO or Privacy Expert can help the firm with accountability as well as management.

Who needs a Data Protection Officer or Privacy Expert?

The General Data Protection Regulation (GDPR) has mandated the need for a DPO or Privacy Expert for organizations that include:

• A public authority or body (except for courts acting in their judicial capacity);
• Whose core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
• Whose core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

Now the key point to focus on here is that they can be both data controllers and processors. Some organisations may appoint a DPO or Privacy Expert just for the sake of an extra safety layer even if it is not explicitly required of them to do so.

What are ‘core activities’?

The core activities are the primary business activities of an organisation. While HR is not a primary activity but choosing who gets to receive a home loan in a bank will be one of its core activities.

What are the guidelines for the DPO or Privacy Expert?

The DPO or Privacy Expert must look into:

• the numbers of data subjects concerned;
• the volume of personal data being processed;
• the range of different data items being processed;
• the geographical extent of the activity and
• the duration or permanence of the processing activity.

Once these factors are evaluated the DPO or Privacy Expert must see if a proper Data Protection Impact Assessment (DPIA) is required or only a basic interrogation into the privacy compliance practices is needed for the firm. This is highly essential for all new DPO’s or Privacy Experts who are joining an organisation for the first time.

What professional qualities should the DPO or Privacy Expert have?

• The DPO or Privacy Expert should be chosen as per their professional qualities, and in particular, experience and expert knowledge of data protection law.
• There are no precise credentials that they are expected to have, but it does say that this should be proportionate to the type of processing that an organization carries out.
• The DPO or Privacy Expert should be able to handle complex and risky situations with effective oversight.
• The DPO or Privacy Expert must be aware of the daily work culture and processes of the organisation as well.

What are the tasks of the DPO or Privacy Expert?

The DPO or Privacy Experts are required to perform certain tasks as defined in Article 39 of the General Data Protection Regulation (GDPR) that include:

• To inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws;
• To monitor compliance with the GDPR and other data protection laws, and with your data protection policies, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
• To advise on and to monitor conducting of data protection impact assessments;
• To cooperate with the supervisory authority and;
• To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

Can we assign other tasks to the DPO or Privacy Expert?

The General Data Protection Regulation (GDPR) stipulates that you can assign further tasks and duties, but only when there is no conflict of interest with the DPO or Privacy Expert’s main tasks and responsibilities

Can the DPO or Privacy Expert be an existing employee?

Yes, if you have a person in the firm who will be able to handle the job well then you can swap their role with ease.

Can we contract out the role of the DPO or Privacy Expert?

Any externally appointed DPO or Privacy Expert should have the same power, role and duties as an internally appointed one. If you can ensure this then it is alright to appoint an external DPO or Privacy Expert too.

Can we share a DPO or Privacy Expert with other organisations?

A group of companies or public authorities may share a DPO or Privacy Expert. DPO or Privacy Experts who are able to perform their tasks effectively, taking into account the structure and size of those organisations can also work for several organisations. If the DPO or Privacy Expert is shared then they must be highly accessible, for all employees of all organisations alike.

Can we have more than one DPO or Privacy Expert?

One individual DPO or Privacy Expert is needed under General Data Protection Regulation (GDPR) who meets the requirements set out in Articles 37-39. The company must entertain all needs of the DPO or Privacy Expert in a professional capacity. The opinion and verdict of a DPO or Privacy Expert must be heard and respected. Furthermore, the General Data Protection Regulation (GDPR) law requires organisations and their DPO or Privacy Experts to:

• Publish the contact details of their DPO or Privacy Expert and;
• Provide them to the ICO or their respective privacy and data protection watchdog.

Is the DPO or Privacy Expert responsible for compliance?

The DPO or Privacy Expert is professionally responsible for compliance. But the liability is limited in nature and shall not impact their personal life.