The Law Society has sought to clarify certain aspects surrounding the need to appoint a Data Protection Officer (DPO) under the new General Data Protection Regulation (GDPR) in newly published guidance, ahead of the 25 May 2018 implementation date.
GDPR requires certain organisations to appoint a DPO. The Information Commissioner (IC), the UK’s leading supervisory authority on matters relating to GDPR, confirms the role of a DPO is multifaceted and involves informing the organisation and its employees about their obligations with regards GDPR, monitoring compliance with GDPR , conducting internal audits and being the first point of contact for supervisory authorities, employees and customers.
The Law Society’s guidance confirms organisations should appoint a DPO where the following criteria applies:
where the organisation is a public authority (except for courts acting in their judicial capacity
where the organisation carries out large scale systematic monitoring of individuals (for example, online behaviour tracking) or
where the organisation carries out large scale processing of special categories of data or data relating to criminal convictions and offences.
The guidance offers a summary of main points which are important for organisations to consider. One such point is that organisations who do not necessarily meet the criteria for needing to appoint a DPO may choose to voluntarily appoint someone to this position. The Law Society advises appointing a voluntary DPO will be good practice and useful for organisations to show their commitment to meeting other compliance regulations under the GDPR.
Organisations are reminded that when making a decision on the DPO they should consider if the individual has the appropriate levels of expertise, independence and resource to carry out the required duties. It is important the correct individual is chosen at the outset and every reasonable effort is made to allow them to succeed in their role.
Organisations are reminded that whilst having a DPO in place can facilitate data compliance, DPOs are not considered personally responsible in the event of non-compliance with the GDPR. The responsibilities for any breach in GDPR compliance will always remain with the organisation, therefore it is imperative organisations seriously consider the potential risk to GDPR compliance before any new operational decisions are made.