What Your Data Protection Officer Should Be Doing This Week
With the implementation of GDPR less than a week away, firms across the country have been preparing for the new regulation. Most of us will have noticed the influx of emails from companies asking us to read updated privacy notices and terms and conditions and to opt-in if we want to keep receiving communications. What is less obvious are the changes that are being made behind the scenes. Most firms should, by now, be aware of whether they need to appoint a Data Protection Officer, whether they would like to do so on a voluntary basis, and have made the decision. The concept of the role isn’t new, and many firms will be used to working in compliance with their DPO.
There are some changes however. Under previous legislation, the role was not mandated and no aspects of the role were made compulsory. Under the GDPR, where a DPO has been appointed, they must be expert in their field and be clear about their role (which should include providing advice, monitoring compliance, training staff, advising on Data Protection Impact Assessments, maintaining knowledge, keeping up-to-date on publications including relevant guidance and codes of practice, and overseeing the response to any data breaches).
The General Data Protection Regulation represents the biggest change to the regulatory landscape for data protection. The Data Protection Officer role exists to help firms to operate within the law – the Article 29 Working Party describes the role as ‘at the heart of this new legal framework’. It’s clear from the Working Party’s guidelines that the vision for the role is to help to facilitate compliance and accountability, and that, in practice, they will be able to act as intermediaries between stakeholders – data subjects, business units, and supervisory authorities.
Firms can hire a DPO directly, or can contract out the role to a third party. In either case, the DPO must be able to undertake their duties independently. Whether the role is new to the firm, or the DPO has been in position for some time, the new rules bring a suite of new challenges. So what should DPOs be doing this week?
Whilst DPOs are not to be held personally responsible in cases of non-compliance with GDPR, they must be able to provide controllers and processors – who are to have ultimate responsibility – with valuable expertise and advice. DPOs can play a crucial role in marketing decisions, including when and how to inform current customers of changes to privacy notices, and the provision of privacy notices for new customers.
Similarly, whilst most firms will have their new or amended processes and procedures in place at this stage, new information and guidance is published on an ongoing basis; DPOs should ensure that they are up-to-date with any new publication from the Information Commissioner’s Office, from the Article 29 Working Party, and the publication of any relevant Code of Practice. Any new guidance or rules should be worked into processes and procedures, where relevant.
Whilst they may not be responsible for training current and new staff, their expertise should be utilised for the provision of this training. GDPR will permeate many aspects of the current role of most staff, particularly where those staff are customer facing or involved in marketing and communications. DPOs can revise current training – reviewing material to confirm whether it is still appropriate or whether amendments or additions need to be made – and could, if required, create a new addition to the training programme, covering GDPR in-depth.
Under the new regulatory landscape, Data Protection Impact Assessments will be required in certain circumstances. Whilst the carrying out of a DPIA will be the responsibility of the controller, and not of the DPO, the DPO can assist the controller. Controllers are required to ‘seek advice’ from the DPO when carrying out a DPIA. In the run-up to implementation, DPOs should be considering the guidance set out by the Article 29 Working Party, and advising the controller on the provision of processes, procedures, guidelines, checklists and the template assessments themselves, in relation to Data Protection Impact Assessments. DPOs can also guide firms to conduct DPIAs where necessary, prior to the implementation of the Regulation, and assist and advise the process.
In addition, this week, amendments to the UK's Data Protection Bill are being considered, prior to receiving Royal Assent, which is likely to happen at some stage between today and 25th May. DPOs should be checking for the Bill to become law, and when it does, ensuring they have the time to read the document thoroughly – the Bill will cover more than just the GDPR – and be in a strong position to be able to offer the advice and assistance that the role is designed for.
It’s important that firms remember that even if they are not obliged to appoint a DPO, they must ensure that their organisation is able to discharge their obligations under GDPR. Firms with or without a DPO in post may wish to gain extra assurance from a Post-Deadline Audit. Covering all aspects of GDPR, our audits offer the opportunity to benchmark your compliance against the GDPR and the UK's new Data Protection law. Contact Us for further information, or to book your Audit.