The European data protection Law is about to change. And this change is going to be the most important in 20 years. The new EU General Data Protection Regulation (GDPR) will take effect on 25 May 2018.
Theresa May’s government has confirmed that this new EU law is to remain applicable in the UK well beyond the date when the UK finally leaves the EU.
Section 4 of the GDPR introduces a new statutory position of Data Protection Officer (DPO).
The question is which companies will need a DPO? And what will be its role?
Which companies will need a DPO?
Existing data controllers and data processors will have to appoint a DPO in 3 situations:
1) Where the processing is carried out by a public authority or body:
For example, councils, government departments, the health sector, schools and emergency services will be covered by this new requirement. However, it is likely to cover also private companies which carry out public functions or deliver public services (such as in the sector of water, energy, transport, housing…).
Private companies not involved in public functions will only have to appoint a DPO if they engage in certain types of data processing activities as described in 2) and 3).
2) Where the core activities of the controller or the processor consist of processing operations which require systematic monitoring of data subjects on a large scale:
This will cover companies whose activity is to process personal data on a large scale for the purposes of behavioural advertising, online tracking, fraud prevention, detection of money laundering, running CCTV systems…
3) Where the core activities of the controller or the processor consist of processing on a large scale special categories of personal data:
This applies to companies whose activity is to process personal data on a large scale which are broadly the same as the sensitive personal data under the Data Protection Act 1998 (for example ethnic origin, political opinions, religious beliefs and health data). The said companies could be, to list some examples, polling companies, trade unions, cloud providers storing patient records…
Role of the new DPO
The new DPO’s mission will include:
-informing the data processor or data controller and the employees processing personal data of their legal obligations;
-monitoring compliance with the GDPR, including training of staff involved in the processing operations;
-providing advice, where requested in the company, about the data protection; and
-cooperating with and act as the contact point for the supervisory authority (the ICO in the UK).
It is very important to think this through well in advance of the deadline of 25 May 2018 as some GDPR fines can go up to 4 % of the global annual turnover or 20 million euros!