The first step to be taken by all organizations that have as their core business the processing and storage of personal data, large companies, public services, health and welfare organizations, financial institutions, etc. to ensure compliance with the EU's new General Data Protection Regulation (GDPR), is to designate a Data Protection Officer (DPO).
Since 25 May 2018, when the new regulation entered into force, the Data Protection Officer becomes mandatory, in accordance with Article 37, for all companies collecting or processing the personal data of EU citizens.
The DPOs are responsible for overseeing the strategy and implementation of data protection in an organization in order to ensure compliance with GDPR requirements. They also serve as a point of contact between the company and the authorities that regulate data-related activities.
Data protection officers are responsible for educating their organization and employees about important GDPR compliance requirements, staff training for data processing and regular security audits.
Responsibilities of the DPO
In particular, as described in Article 39 of the GDPR, the responsibilities of the DPO include, inter alia, the following:
• Training the organization and employees on important compliance requirements.
• Training of personnel involved in data processing.
• Carrying out checks to ensure compliance and address possible issues in a proactive way.
• Serving as a contact point between its organization and its supervisors for GDPR.
• Monitoring performance and advise on the impact of data protection efforts.
• Maintaining complete records of all data processing activities carried out by his/her organization, including the purpose of all processing activities, which must be made public on request
• Interconnecting with the data subjects to be informed about how their data are used, their rights to delete their personal data and the measures taken by their organization to protect their personal data information.
The Regulation also provides for the DPO to have expertise that is in line with the organization's data processing functions and the relevant level of data protection required.
The DPO may be a member of the data processor's staff and the relevant organizations may use the same person to collectively supervise data protection if it is possible for all data protection activities to be managed by the same person and the DPO is easily accessible whenever necessary. It is necessary to publish the information of the DPO and to provide it to all supervisory authorities.
The appointment of a DPO
From the above, it is understood that the DPO is a key post and emphasis should be placed on the right choice of the person who will be called upon to fill this post.
The appropriate DPO should have specialization in data protection regulation and practices and fully understand the organization's infrastructure, technology and technical and organizational structure.
Ideally, a DPO should have excellent management skills and the ability to easily interface with internal staff at all levels, as well as with supervisors.
Companies and organizations should look for candidates who can internally manage data protection and compliance, while reporting any non-compliance with the GDPR to the competent supervisory authorities.
In this context, identifying an appropriate person within an organization, which may be independent of data processing decisions, may be a difficult matter.
Therefore, the DPO does not need to be appointed exclusively through internal staff relocation or recruitment. Outsourcing can be done to trusted partners who have the required know-how.