The new European General Data Protection Regulation will bring a number of important changes to the way data protection is handled by companies. The GDPR will require private sector organisations to appoint Data Protection Officers in a number of situations.
Unlike the Data Protection Act (DPA), both the controller of the data and the organisations appointed to process the personal information by the controller must appoint a DPO.
How do we know if a Data Protection Officer is required?
A DPO will be required in the following circumstances:
- When the organisation’s core activities require regular and systematic monitoring of data subjects on a large scale. In order to decide whether this applies, the organisation will have to consider the nature, scale and purpose of the processing.
- When the organisation is processing one of the “special categories of personal data” (see definition below) or criminal convictions or offences.
- Where the organisation is specifically required by law to appoint a DPO.
This is one of the areas where guidance should be issued by the European Data Protection Authoritiy as a matter of priority.
What about groups of companies?
A group of companies or organisations may appoint one DPO providing that they all have easy access to that individual.
Who should be appointed as a DPO?
The DPO must be an expert in data protection law and can either be a member of staff of the controller or processor, or can fulfil the role under a services contract.
What is the overall role of the DPO?
The DPO must be involved in all matters that relate to the protection of personal data.
What are the public duties of the DPO?
The contact details of the DPO must be published and the Information Commissioner’s Office should be informed of the name of the DPO.
What are the special categories of Personal Data referred to above?
The GDPR refers to “Special categories of personal data”. This is what the DPA called “sensitive personal data”. This will now cover:
Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of genetic data, biometric data in order to uniquely identify a person or data concerning health or sex life and sexual orientation shall be prohibited.
Where can I get specialist advice on this and other matters?
As experts in data protection law, Probert Legal can help you steer a path through the new legislation and ensure that your systems and procedures are robust.
For further information, please contact Tracey Wakelam on TraceyWakelam@ProbertLegal.com