Data Protection and GDPR
2018 saw a major shake-up of data protection laws with the EU General Data Protection Regulation (GDPR) and UK Data Protection Act coming into force. These regulations brought in greater protection of personal data for the individual and have major implications for businesses and organisations as the penalties for non-compliance are potentially severe.
GDPR is a new EU General Data Protection Regulation which strengthen existing data protection laws and practices. The UK Government has confirmed that UK businesses need to comply.
The UK is currently still in the EU and must follow EU law. When the UK leaves the EU, it is anticipated that GDPR will effectively become part of UK law since the UK will have to comply with EU standards if it is to conduct business with EU members.
For many organisations outsourcing is likely to be more cost effective than employing a full-time or in house DPO. Additionally, many organisations do not have anyone with the required expert knowledge of UK and EU data protection law and practices who is sufficiently independent of decision making within the organisation. Avoiding such internal conflicts of interest is a significant requirement of GDPR.
DPOs – what are they and why are they needed
Article 39 of GDPR lists the minimum tasks that should be fulfilled by the Data Protection Officer. The principal task is to monitor an organisation’s compliance with legislative and regulatory requirements. As such, the DPO is to inform and advise the Data Controller, Processor and Board on data protection matters including the protection of personal data, assignment of responsibilities, awareness raising and training of staff.
The DPO is not personally responsible for non-compliance under GDPR. The DPO is responsible for advising the data controller and processor on how to ensure that their organisations achieve compliance.
GDPR states that the following require a DPO:
- Public authorities or bodies. These are defined as those organisations subject to the Freedom of Information Act in England and Wales and the Freedom of Information (Scotland) Act in Scotland.
- Organisations whose core activities consist of processing special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation) or data relating to criminal convictions or offences on a large scale, e.g. law firms and GP/dental practices.
- If the core activities of the organisation require regular and systematic monitoring of data subjects on a large scale.
The DPO can be an internal appointment or shared jointly between organisations. However, there is a requirement for the DPO to be independent and so, to avoid conflicts of interest and / or when a full time DPO is not required, outsourcing the DPO function to an organisation such as RGDP is a cost effective option.
The DPO should report to the top level of management and have access to the Board to make recommendations.
Yes, if you are processing personal data of EU citizens and your Company requires a DPO in accordance with GDPR (Article 37).
Yes, if you have data subjects in the EU and/or as directed in GDPR (Article 3).