Your Data Protection Officer guards personal data and privacy
The new EU privacy law has been passed and its enforcement, involving heavy sanctions in case of non-compliance, will come into effect on 25 May 2018. This has created a new role within organisations that process personal data: that of Data Protection Officer (DPO)
Do I need a Data Protection Officer?
Are you a public organisation or government body?
Do you process sensitive data, about political and religious beliefs, ethnicity or health?
Is monitoring large groups of individuals your core business?*
*This includes public transport services, telecom and internet providers, loyalty programs, the internet of things, wearables that measure health. Things like IP or MAC addresses and social media nicknames are considered personal data in the context of this law.
If the answer to one or more of the above questions is YES, and you do not have a DPO yet, you need to start looking immediately for a Knight in Shining Armour. You need him (or her) to protect the Holy Grail of Privacy and stand guard over the personal data entrusted to you.
The Knightly Virtues your DPO should possess
He or she wields an above average knowledge of the EU privacy laws as well as the technology used for gathering, storing and processing personal data in your organisation.
The DPO is the liaison between all inside and outside stakeholders, including the Privacy Authority in your country. He or she monitors both corporate processes and corporate culture in matters of data protection and privacy. He or she has the power to influence these and affect changes.
A DPO operates independently, without corporate instructions on how to execute his or her brief. To preclude conflict of interest, any other tasks this person fulfils within your company or organisation must lie outside the field of data processing.
Where to find your DPO
You may assign someone already employed within your organisation as DPO, as long as the conditions stated above are met with. Or you may need to hire someone new especially for the purpose. An independent DPO can also work for multiple organisations as an outside contractor.
A suitable candidate needs legal expertise and sufficient technical knowledge of data processing and IT security. The DPO needs to be provided with a budget, schooling and freedom to signal problems and bring about necessary changes. The DPO cannot be held personally responsible if the privacy law is violated and cannot be penalised or fired for performing his duty.
Between now and 2018, a considerable number of government agencies, companies and organisations will be looking for a DPO. Our advice to all data processors is to make haste to fulfil this vacancy, as the demand will be high and suitable candidates scarce.
For more information about the EU guidelines on Data Protection officers, go here.
Please feel free to contact us with any questions about privacy and data security. We’ll be glad to help!