Your typical C suite had a very particular makeup prior to the information age. You had your chief executive officer (CEO), chief financial officer (CFO), chief operating officer (COO), and so forth. But the introduction of the internet as a commercial entity forever changed that. Today’s executive teams also include Chief Information and Chief Technology Officers. Some companies even require a Data Protection Officer (DPO).
Does your company need a DPO? There are both legal and practical answers to that question. Both are rooted in the EU’s General Data Protection Regulation (GDPR) implemented back in 2018. Under the regulation, certain types of organisations are required by law to have a DPO. Even if the law doesn’t apply directly to your company, there may be very good practical reasons to have a DPO anyway.
Defining the DPO
The GDPR’s definition of a DPO is not complicated. In summary, this individual is ultimately responsible for guaranteeing that his or her company is maintaining compliance with all aspects of the GDPR. The DPO determines data retention periods, authorizes workflows relating to data access, develops policies for how data is collected and used, develops and implements policies to protect customers, and so forth.
Technical requirements dictate that the DPO has a solid understanding of how data systems work. Though someone with a background as a CTO or CIO could fill the DPO role, it is better at this time to go with someone who has special training in this particular area.
In the absence of hiring someone, a company can seek out GDPR DPO as a service. In other words, a company contracts with a consulting firm to function as its DPO. The consulting firm handles all the functions on behalf of a company officer to whom it reports.
The DPO and GDPR
The GDPR clearly spells out specific organisations required to have DPOs. There are three broad categories mentioned in the regulations:
- Public Bodies and Authorities – This includes all government agencies as well as NGOs that do work on behalf of government entities.
- Processing Operations – Organisations in this category must have a DPO because their core activities consist of processing operations that make use of protected data on a significant scale.
- Special Data Processing – Organisations in this category must have a DPO because their core activities involve routine processing of special types of data on a significant scale. Organisations that process criminal data are a good example.
If it seems like these three categories are rather broad, it is because they are. So how is a company to know if it is required to have a DPO by law? By either checking with the appropriate authorities or working with a consultancy specialising in compliance issues.
Practical Reasons for Hiring a DPO
Despite such broad guidelines for determining whether or not a company must hire DPO, a fair majority of small businesses around the world can get away without having one – at least where a direct legal requirement is concerned. Nonetheless, there are still practical reasons for having a DPO.
For starters, any company that does outbound marketing as a core business component is skirting that legal line. It doesn’t make sense to risk being out of compliance by not having a DPO. As they say, better safe than sorry. Collecting and storing data for outbound marketing purposes almost certainly qualifies as data collection on a significant scale, so why take the risk?
Other practical reasons for bringing on a DPO include:
- Providing outsourced business services relating to human resources, IT, and sales and marketing. Significant volumes of personal data are required to provide such services.
- Transferring large data sets on behalf of third parties. Companies should be especially concerned in this regard if the data they transmit goes to global destinations. Remember that companies must comply with the GDPR if any of the data they collect is either stored in the EU or EEA or is from individuals residing in those two regions.
- Providing security services. Because CCTV and other types of recording and monitoring services generate identifiable information, it is a wise idea for companies in the security sector to have an experienced DPO who knows how to protect that information.
Even without a DPO on staff or a contracted DPO service, companies are still expected to comply with data protection law. This is yet another practical reason to consider bringing on a professional. The law is very specific about how data can be collected and utilised. It is very specific about how individuals are to be protected. Companies need a person who understands the law intimately.
Failure to Comply
If your company still needs a reason to consider having a DPO on staff, failure to comply could be enough motivation. The GDPR includes harsh penalties to be enforced against organisations that do not follow the regulations. At the top of the scale are hefty fines that could amount to as much as $20 million or 4% of the company’s annual turnover.
Even small businesses can face significant fines for not maintaining compliance. In the most egregious cases, individuals within a company’s management team could be held liable as well. In short, the GDPR is nothing to mess around with.
Compliance is also a good thing from a public image standpoint. Companies should want their customers to feel comfortable that they are protecting personal data at all costs. All it takes is a single data breach to lose the trust a company has established among its customer base. Maintaining compliance at all times reduces the risk of a security breach while simultaneously solidifying that particularly important trust.
Does your organisation need a DPO by law? If it falls under one of the three categories listed in this post, then a DPO is required. And if not, there are a host of practical reasons to have a DPO anyway. Organisations can hire a DPO directly or contract with the consultancy that offers DPO as a service. One way or the other, public and private organisations alike are required to comply with the GDPR whenever dealing with personal information from EU or EEA customers.
The post Does Your Business Need a Data Protection Officer? first appeared on Feedster.from Feedster https://www.feedster.com/online-business/does-your-business-need-a-data-protection-officer/?utm_source=rss&utm_medium=rss&utm_campaign=does-your-business-need-a-data-protection-officer
No comments:
Post a Comment