As technology is transforming, the GDPR, a flagship piece of legislation is replacing the outdated and insufficient Data Protection Act 1988. Who now will oversee your organisation’s data control?
Organisations can not depend on the Data Controllers or Data Processors, and the only change in this respect by GDPR is the clear obligations of the roles.
Data processors handle the processing of personal data, whereas Data controllers indicate why and how personal data will be processed.
GDPR brings these bodies together and makes sure they both comply with strict GDPR Data Protection officer requirements.
A New Role – Data Protection Officer (DPO)
Many organisations are confused as to whether they require the extra safeguard of the DPO.
GDPR has a reason behind introducing such a requirement for some organisation, that is the general spirit of GDPR data protection officer. For example, huge organisations must take data storing and collecting seriously.
GDPR Article 38(3) and Article 29 Working Group has separate mentioned guidelines for DPOs, along with essential FAQs. ICO website has an excellent and understandable source of reference.
The Data Protection Officer under GDPR will help to decrease the cyber-attacks and viruses like “ransomware”, which had hit some large organisations last year, such as:
- Local authorities
- Education
- Financial and Insurance
- Utility Companies
- Health Centres
- Gaming
Companies can err on the side of caution and decide to enlist the help of a DPO, but finding the best person for the task is not easy, for several reasons. The DPO and its responsibilities have great importance in an organization. Therefore, a company must hire the most suited individual for the post.
Firstly, it is not yet clear what the definition of a DPO is by the EU, and secondly, the GDPR Data protection officer training requires several areas of experience whereas many companies have been concentrating solely on the security of their IT systems when seeking to employ a DPO. Compliance and communication must be equally weighted in the hiring decision.
According to the regulations, the data protection officer must have expert knowledge in the protection of data. Fundamentally, he has three primary responsibilities, which demand to be handled only by an expert in GDPR:
- Compliance
- IT Security
- Communication
As part of the compliance responsibility (or Data protection officer under GDPR), a DPO will serve as a point of contact between the company and the GDPR supervisors. Hence, the reason why a DPO should have experience in dealing with regulatory agencies and have practical experience in matters of compliance such as internal audits.
However, the security role requires the DPO to understand how infrastructures in IT and technology are associated with the data, and how to keep all necessary records associated with the data, and to train staff on how to use the data correctly.
The role of communication focuses on educating employees and stakeholders about compliance requirements, as well as talking to customers to let them know how their data is used.
Breaches report of data regulation must go promptly. And, ensure any sort of breach communication to customers or other relevant personnel, provided any information to the company.
Outsourced DPO Services
What constitutes a suitably qualified DPO? These are the key factors:
- Privacy laws
- European data protection laws
- Cybersecurity
- IT infrastructures
Although, an appropriate and comprehensive DPO will be reflected in the remuneration. But, many organizations will be reluctant to pay steep fees.
Similarly, the evolution of the legislation will ensure there will be a buoyant marketplace for DPOs. Therefore, fees will become more competitive, but finding the most qualified for your organization is far from simple.
The company can source virtual, in-person DPO and GDPR Advisors on Seers platform.
