If you haven’t heard, GDPR, which stands for the General Data Protection Regulation, is a new European regulation (which also applies within the UK, even post-Brexit) that expands and enhances legal protections for consumers’ personal data.
If you’re a business that stores data about your customers, you need to take new measures to protect that information from hackers and other cyber threats. Of course, it’s a bit more complicated than that, so for a more complete description of this new legislation and its requirements, read this blog.
Among the new measures business owners must take, perhaps the most important is hiring a Data Protection Officer.
You might wonder:
- What’s a Data Protection Officer? What do they do?
- How do I know if I need to hire a Data Protection Officer?
- How do I hire a Data Protection Officer?
Read on for the answers to all these questions, so you can avoid hefty fines.
How do you know if your business needs to hire a Data Protection Officer?
If your business conducts ‘regular and systematic data monitoring’ (we’ll go into this more later), or if you have more than 250 employees (or both), then you’ll need to hire a Data Protection Officer (DPO).
Not having a DPO when your business is legally required means fines. Moreover, not having one also means your data is more likely to be processed incorrectly when sent to the Supervisory Authorities (SAs), who oversee activities related to data (and that means fines). Plus, operating without a DPO to safeguard your data can result in more breaches (which means more fines).
If any part of your business processes customer data, from a marketing department analysing a target audience to a health insurance managing its policy offerings — or anything in between — you’ll need one.
More generally, if serious data collection is something your business does on any scale, you may need a DPO to operate in Europe.
So what qualifies as ‘serious’ data collecting?
You’ll need to hire a DPO if you fall into any of the following three categories:
If you don’t know what a public authority is, then you probably aren’t one. But it essentially applies to organisations that seek a charitable cause rather than profit.
If you carry out ‘large scale processing’ or ‘systematic monitoring’
This one is vague and captures a lot of activity. One common example is tracking the behaviour of your website visitors.
But if you store personal information about a lot of people, you’re likely going to need to figure out where your DPO is going to sit in your office.
If you deal with data related to criminal convictions and offences
If you work in law enforcement, or perhaps at a law office or anywhere else that stores information about criminal activity, you’ll need a DPO.
What’s the scope of a DPO’s job?
1. Keeping you in-line
A big part of a DPO’s job is to make sure you’re GDPR compliant, so you don’t need to worry about it. They should keep tabs on you and make sure you adhere to your new legal obligation.
2. Giving you advice
Your DPO is your point of contact for any questions. How much will GDPR impact you? Ask your DPO. Can you email this batch of potential clients if they haven’t opted in to receive marketing materials? Ask your DPO.
3. Being your point of contact with the Supervisory Authority
Your DPO will communicate with the Supervisory Authorities that enforce adherence to GDPR.
This list, of course, is not exhaustive. The day-to-day work of your DPO will largely depend on your industry as well as how much data you collect and how you do it.
What does ‘large scale’ mean?
There was some initial confusion about whether or not this measure would apply to small-to-medium enterprises (businesses that employ 250 people or fewer).
But Peter Brown, the senior technology officer of the Information Commissioner’s Office (ICO), clarified at a conference in June 2017:
‘I’ve heard plenty of people talking about there being a DPO exemption for SMEs – this is absolutely not the case.’
So even SMEs and micro-businesses aren’t exempt. If you’re a small business, our advice is Ask a lawyer. The best answer here is going to be a nuanced one.
Is this something I can put off doing?
GDPR comes into effect on the 25th May 2018. So whether you procrastinate is up to you.
But remember that the early bird begins to hire a Data Protection Officer with adequate time and then isn’t fined £17 million pounds.
And don’t forget that, above all, your DPO should be your advocate. They’re there to keep you out of trouble.
Pick a good one.