A DPO Won’t Let You Stray from the GDPR
The GDPR expands the rights of individuals and their data, and places greater obligations on businesses and other organisations that process personal data. One of those obligations is to appoint a data protection officer (DPO) in certain circumstances to assist your organisation in its ongoing efforts to comply with the GDPR.
A DPO is an independent expert in data protection that is responsible for ensuring that your organisation complies with the GDPR. Their central goal is to help you demonstrate GDPR compliance in your business activities and to hold you accountable for shortcomings. However, a DPO is not personally liable for data protection compliance.
Regardless of your size, or whether you are a data controller or processor, appointing a DPO is mandatory under these three situations:
- If your organisation is a public authority (excluding courts acting in their judicial capacity) or body
- If your organisation’s core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale, such as online behaviour tracking
- If your organisation’s core activities consist of large-scale processing of special categories of data—such as sensitive data concerning an individual’s health, religion, race or sexual orientation—and personal data relating to criminal convictions and offences
However, even if your organisation doesn’t meet any of the mandatory situations, the Information Commissioner’s Office nevertheless encourages all organisations to appoint a DPO to demonstrate commitment to GDPR compliance.
Your organisation’s DPO can be an existing employee, externally appointed or even shared between other organisations. However, if you choose to use an external DPO, you must verify that they are competent, qualified and able to provide your organisation with the attention it needs. If your organisation fails to appoint a DPO, you could receive a fine worth up to €10 million or up to 2 per cent of your global annual turnover, whichever is higher.
The 8 Steps to a Successful DPIA
In your organisation’s GDPR compliance efforts, you most likely will need to complete a data protection impact assessment (DPIA). While only a requirement for specific types of processing under the GDPR, this evaluation helps you to identify, assess, and mitigate or minimise privacy risks with your personal data processing activities.
Under the GDPR, your organisation is required to conduct a DPIA if you meet at least one of these conditions:
- You use systematic and extensive profiling with significant effects
- You process special category or criminal offence data on a large scale
- You systematically monitor publicly accessible places on a large scale
Regardless of the reason why your organisation is conducting a DPIA, the evaluation must meet the following criteria:
- It must describe the nature, scope, context and purposes of the data processing
- It must assess necessity, proportionality and compliance measures
- It must identify and assess risks to individuals
- It must identify any additional measures to mitigate those risks
After you have determined that a DPIA is necessary, you should follow these eight steps to successfully carry it out:
- Describe how the personal data will be processed.
- Consider whether consultation with all relevant stakeholders would be necessary as well as whether you should consult your DPO or other data security expert.
- Review your lawful basis for processing to determine whether the pending data processing will achieve your purpose or if there is an alternate solution.
- Identify the potential risks of processing the data.
- Provide solutions to reduce the impact of potential risks of the data processing.
- Sign off on the DPIA and record its outcome.
- Integrate the DPIA outcome into the project’s plan.
- Observe your data processing activities and make adjustments.
To help your organisation determine whether a DPIA is necessary and to complete one successfully, the ICO has released a sample template. For other GDPR enquiries, contact CyberBee today.