1 / 4

DO YOU NEED TO APPOINT A DATA PROTECTION OFFICER?

If you would like to discuss the impact of GDPR on your business and how we might be able to help you address any concerns, Contact GDPR Solicitors UK.<br>Call us on 44 203 670 5540 or 44 (0) 7545 813 894 <br>Reach us at https://www.bigdatalaw.co.uk/<br>

WilliamJohnesUK
Download Presentation

DO YOU NEED TO APPOINT A DATA PROTECTION OFFICER?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DO YOU NEED TO APPOINT A DATA PROTECTION OFFICER? 1. WHO NEEDS TO APPOINT A DPO The General Data Protection Regulation (GDPR) provides the circumstances in which a DPO must be appointed. Article 37(1) of the GDPR states ?the controller and processor shall designate a DPO in any case where; a. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; b. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or c. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in

  2. Article 10.” Large scale data processing involves the processing of large volumes of data; for example, in the NHS or by a marketing company. The Article 29 Working Party has issued some helpful guidance. When considering large-scale data processing, the following should be taken into account; • the number of data subjects concerned – either as a specific number or as a proportion of the relevant population • the volu?e of data a?d/or the ra?ge of differe?t data ite?s ?ei?g processed • the duratio?, or per?a?e??e, of the data pro?essi?g a?tivity • the geographical extent of the processing activity The core activities by controllers are those relating to those operations which are needed to achieve the organisations goal (Article 29 Working Party); i.e. you need to see if your core activities are dependent upon some processing, perhaps because of a contractual obligation. For example, a

  3. company sells a car and offers a warranty. The core act will be the sale of the car, but the warranty will involve the processing of personal data relating to the person who brought the car. If the business is such that the core activity involves the processing of personal data in order to be performed, then the processing of data becomes inextricably linked to that core activity. 2. WHAT DOES A DPO DO The DPO?s function is to monitor compliance with the GDPR. The DPO acts as the ?eyes and ears? of the Regulator within an organisation to ensure compliance. The DPO will collect information to identify processing activities, analyse and check compliance of processing and inform, advise and issue recommendations to the controller or processor in matters such as Data Protection Impact Assessments (DPIA). In essence the DPO acts to safeguard the organisations position and to manage risks associated with data protection. If a business gives the formal title of DPO, then such title brings with it all of the protections of the GDPR to the DPO. The DPO is protected against redundancy and penalties and their genuine independence must be ensured. If an organisation decides not to appoint a DPO, it must document the reasons for doing so. A failure to appoint a DPO can result in significant fines and penalties to the organisation. 3. WHO CAN BE THE DPO The GDPR is not specific, although the Article 29 Working Party makes clear a DPO must have an understanding of data protection laws. A company could therefore appoint a senior person who would be supported by experts and this is an approach endorsed by the Article 29 Working Party. The DPO reports to the highest levels of the management in an

  4. If you would like to discuss the impact of GDPR on your business and how we might be able to help you address any concerns, Contact GDPR Solicitors UK. Call us on +44 203 670 5540 or +44 (0) 7545 813 894 Reach us at https://www.bigdatalaw.co.uk/

More Related