A Data Protection Officer may already be sitting in your office. It’s more likely, though, that you don’t have one in your organisation. You may not have even thought about whether you need to have a data protection officer.
If so, you are certainly not alone. Many businesses, especially SMEs, have given little thought to data protection. But having adequate data protection policies is just as important for businesses as having adequate HR policies. Lacking either leaves your business extremely vulnerable.
Growth in Data Protection Officers
The growing number of data protection officer vacancies shows that many businesses are giving the issue serious consideration. According to the International Association of Privacy Professionals (IAPP), European businesses preparing for the EU’s General Data Protection Regulations (GDPR) will hire 28,000 people in data protection, with worldwide hires of 75,000. This is because the legislation applies to any organisation that processes personal data of EU citizens, even if the company itself is based elsewhere.
These numbers apply to data protection officers (DPOs) alone; it doesn’t take into account assistants, extra legal or IT expertise that may also be required.
Must You Have a Data Protection Officer?
A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files. A data processor is an organisation involved in processing third-party data but has no responsibility for how it is utilised. Either of these organisations may need to have a data protection officer under the new legislation.
The GDPR sets out the need for a DPO in certain cases. Public bodies or authorities (with the exception of courts acting in a judicial capacity) must have a DPO. So should organisations that “require regular and systematic monitoring of data subjects on a large scale”. Other than that, organisations processing data on a large scale must have a DPO. European authorities have yet to decide what is ‘large scale’ data processing. So, if you feel that your organisation may be processing data on a large scale, keep an eye out for developments.
Smaller organisations
Smaller organisations, or ones that don’t process large volumes of data, typically don’t need to have a data protection officer. However, that doesn’t make it a bad idea to appoint one. Remember, a data protection officer can have duties besides data protection, so the brief can be assigned to someone in your organisation with the appropriate skills.
Aside from a shiny new title, the role of data protection officer comes with some serious responsibility. Your data protection officer will be charged with protecting the personal information of staff, customers, and service users across the organisation, and implementing a well-thought out data protection plan. If your organisation struggles to see through projects, particularly in compliance or areas peripheral to your ‘core’ business, giving one person ownership of this area will encourage them to see it through.
Further Action
The GDPR is a complex piece of legislation. You may need to adopt new processes and policies to comply with it. Even if you don’t appoint a data protection officer, make sure that the staff responsible for data protection compliance in your organisation fully understand the legislation and the new obligations it brings. It may be a good idea for members of staff involved in this field to incorporate some of their continuing professional development training hours on becoming more knowledgeable in this are.
Find out more
Know your obligations under the EU GDPR.
The EU GDPR – Are Organisations Ready?
Even small organisations may need to consider a data protection plan.
