Who is your DPO? Come May 2018 and the introduction of GDPR you are going to need one.
If you are a business owner, a board member, an HR professional or an IT manager can I ask you to do just one thing before the end of the day? Just put a note in your diary for Friday 25th May 2018 and label it ‘GDPR Day’.
If you are not aware of what I’m talking about, GDPR, The General Data Protection Register, is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. I can already hear you turning off and going back to your emails or other more pressing business matters.
…and that’s ok, because if you employ a Data Protection Officer (DPO) in the next few months, their role is going to ensure that you are compliant and in a fit state to meet the requirements of the GDPR come that Friday in May 2018
…and before you throw the ‘Brexit’ excuse at me, saying that by 2018 we will be out of Europe, well we may, but as the explanation from the Information Commissioners Office explains : Your non-EU based company will be subject to this Regulation if you are processing EU personal data as a consequence of: –
- Offering goods or services (whether free of charge or not) to individuals in the EU or
- Monitoring their behaviour as far as their behaviour takes place within the EU
…but isn’t this just more paper pushing, and you could easily do without all that? Hmmm, not really, because if you fall foul of the GDPR then fines may be levied against your business. These won’t be the relatively small fines that have been issued in the past for fracturing data protection laws, these will have some bite.
Under GDPR and depending on the severity of a data breach, be it accidental or malicious in origin, a fine of up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year, could be levied. Oh, and just to twist the knife further, this is caveated with “whichever is greater”.
To put this in context, after its much publicised data breach in October 2015, TalkTalk was fined £400,000 by the Information Commissioners Office. They expressed their disappointment at this. Had this data breach occurred under the watch of GDPR then their fine would have been around the £70,000,000 mark. If they were disappointed at £400k, they would be crying in their beer at having to hand over a cool £70million!
The 25th May 2018 isn’t sounding so far away now, is it?
Between now and then, assuming you ‘meet’ the criteria and must abide by GDPR there is a long list of issues that will need to be addressed. This will include, but not be limited too, getting cyber security in check, updating HR procedures, defining work processes and adhering to them, getting staff trained on the handling and management of data, securing your supply chain with regard to data sharing and probably a whole host of others too. It’s going to be a busy time.
This is where a DPO comes into play. The role of a DPO is to responsible for advising on the implications of data protection laws, developing a company’s data and privacy protection policies and ensuring compliance with those laws. They act independently within your organisation to resolve the historic tension between IT, HR, Legal and the rest of the business when it comes to use, management, storage and transfer of data.
The DPO will also act as on onsite authority regarding data processing and privacy. They will be the independent point of contact should a breach occur and they will be responsible for reporting the breach to the relevant enforcement authorities. I can’t see this person being ‘popular’, but similar to your appointed Health and Safety manager, this is a necessary role for legal compliance and good governance.
The DPO is not a new role and in fact the appointment of a DPO has, for decades, been an essential element in the German data protection system. Since 1977, many German companies have been required to appoint an independent DPO to fulfil self-regulation obligations. It appears that the GDPR requirement to have a mandatory DPO has been inspired by the German model.
A good quality DPO is going to be an individual who, from a practical perspective, have a good understanding of the company’s technical and organisational structure and be familiar with its IT infrastructure and technology. They are going to have to understand legislation and its implication on the business in question and be unshakable in their response should a data breach, or non-compliance occur. To pull on the parallel with a Health and Safety manager, who manages all aspects of physical wellbeing in the work place, a DPO will manage all aspects of the ‘digital’ wellbeing in the work place.
Training courses are already springing up for DPO training under GDPR, and for smaller companies there is the potential to outsource this to consultancies or other business support organisations.
With cyber crime in all its forms on the rise this legislation and the mandatory requirement for a DPO is a welcome, but painful necessity. It is being done for your own business protection, for the protection of your employees and for the protection of your customers. There is a lot more detail about GDPR and the role and requirements of a DPO available from the ICO. It would be in your long-term business interest to put some time aside to review it.
…and not to put too much pressure on you, from today you ‘only’ have 345 working days until GDPR Day! Best get started.