Does my business need to appoint a Data Protection Officer?
There have been lots of big changes regarding the new GDPR laws. Now that many people have started to understand these changes, they have begun to ask questions about what they need to do next. One of these big questions, for B2B businesses, is whether they need a Data Protection Officer to manage this new area of marketing. Here’s what you need to know about this.
You may not need a specific Data Protection Officer, but there will be strong controls around personal data that you need to consider and take steps to protect. We recommend that you hold any personal data in one secure place as this will allow you to streamline your compliance efforts.
However, Article 35 of the GDPR states that you WILL need to appoint a DPO if your organisation:
- Is a public authority
- Engages in large-scale systematic monitoring of personal data
- Engages in large-scale processing of sensitive personal data.
If your business adheres to any of the above, you need to consider appointing a DPO immediately. On the plus side, the only requirement of the Data Protection Officers by the GDPR is that they have “expert knowledge of data protection law and practices”.
Furthermore, data processors will also have direct legal obligations and responsibilities. This means that processors can be held liable for data breaches. There will need to be clear responsibilities between the controller and processor and parties will need to document their data responsibilities even more clearly.
With the introduction of mandatory privacy risk impact assessments, data controllers must adopt a risk-based approach before undertaking higher-risk data processing activities. They will be required to conduct privacy impact assessments to minimise the risk to their data subjects.
Data controllers will also be required to report data breaches to their DPA within 72 hours of becoming aware of it unless it is unlikely to represent a risk to the right and freedoms of the data subjects in question. Where the risk is high, these subjects must be notified. Regular supply chain reviews and audits will also be required to ensure they are fit for purpose.
For more information on how the GDPR could affect you, download our GDPR First Aid Kit.
If you’re looking for further advice, have you seen our compliance checklist?