• Skip to main content
  • Skip to footer

RGDP

Really Good Data Protection

  • Home
  • About Us
  • Our Services
    • Data Protection Audit
    • Standard DPO Service
    • Supplementary Services
    • Freedom of Information
  • Our Team
  • FAQs
  • Blogs
  • Contact Us

FAQs

Data Protection and GDPR

Why is everyone talking about Data Protection?

2018 saw a major shake-up of data protection laws with the EU General Data Protection Regulation (GDPR) and UK Data Protection Act coming into force. These regulations brought in greater protection of personal data for the individual and have major implications for businesses and organisations as the penalties for non-compliance are potentially severe.

What is the GDPR and why is it important?

GDPR is a new EU General Data Protection Regulation which strengthen existing data protection laws and practices. The UK Government has confirmed that UK businesses need to comply.

Why do we need to worry about GDPR when we are leaving the EU?

The UK is currently still in the EU and must follow EU law. When the UK leaves the EU, it is anticipated that GDPR will effectively become part of UK law since the UK will have to comply with EU standards if it is to conduct business with EU members.

Why should I consider outsourcing my DPO requirements?

For many organisations outsourcing is likely to be more cost effective than employing a full-time or in house DPO. Additionally, many organisations do not have anyone with the required expert knowledge of UK and EU data protection law and practices who is sufficiently independent of decision making within the organisation. Avoiding such internal conflicts of interest is a significant requirement of GDPR.

DPOs – what are they and why are they needed

What does the DPO actually do?

Article 39 of GDPR lists the minimum tasks that should be fulfilled by the Data Protection Officer. The principal task is to monitor an organisation’s compliance with legislative and regulatory requirements. As such, the DPO is to inform and advise the Data Controller, Processor and Board on data protection matters including the protection of personal data, assignment of responsibilities, awareness raising and training of staff.

Is the DPO responsible for compliance under the GDPR?

The DPO is not personally responsible for non-compliance under GDPR. The DPO is responsible for advising the data controller and processor on how to ensure that their organisations achieve compliance.

Who has to have a Data Protection Officer?

GDPR states that the following require a DPO:
  1. Public authorities or bodies. These are defined as those organisations subject to the Freedom of Information Act in England and Wales and the Freedom of Information (Scotland) Act in Scotland.
  2. Organisations whose core activities consist of processing special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation) or data relating to criminal convictions or offences on a large scale, e.g. law firms and GP/dental practices.
  3. If the core activities of the organisation require regular and systematic monitoring of data subjects on a large scale.
“Core activity” is activity that is inextricably part of the function of the organisation and is not a support activity. “Large scale” relates to the number/proportion/volume and/or different types of personal data. Even if they do not require to have a DPO, many other organisations that handle personal data will need to put policies and practices in place to ensure that they comply with the GDPR and an outsourced DPO service from RGDP can help them do this.

Can I appoint an existing employee as a DPO?

The DPO can be an internal appointment or shared jointly between organisations. However, there is a requirement for the DPO to be independent and so, to avoid conflicts of interest and / or when a full time DPO is not required, outsourcing the DPO function to an organisation such as RGDP is a cost effective option.

Who should the DPO report to?

The DPO should report to the top level of management and have access to the Board to make recommendations.

Our company is based in the EU - do we need a DPO?

Yes, if you are processing personal data of EU citizens and your Company requires a DPO in accordance with GDPR (Article 37).

Our company is based outside the EU - do we still need a DPO?

Yes, if you have data subjects in the EU and/or as directed in GDPR (Article 3).

Footer

Contact Us

Really Good Data Protection
Tel: 0131 222 3239
Mob: 07741 738842
Email: info@rgdp.co.uk

Follow us

  • LinkedIn
  • Twitter
Member of Edinburgh Chamber of Commerce Commercial Associate of SFHA Cyber Essentials Badge

© RGDP LLP · Privacy Notice · Cookie Policy · Terms of Use

This site uses cookies: Find out more.