Questions you need to ask your DPO
At C-suite level, you will be held personally liable under the GDPR legislation so, whilst you might not need to be responsible for the implementation of data protection processes, you will certainly need to have asked the right questions of your Data Protection Officer to ensure that neither the company nor you as an individual don’t get into hot water.
Before we get into those questions, you need to know whether your organisation is required to have a DPO.
According to the ICO, the GDPR requires the designation of a DPO in three specific cases:
- where the processing is carried out by a public authority or body (irrespective of what data is being processed)
- where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; and
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
Your DPO can be someone already within the organisation, if they have no conflict of interest with their existing professional duties, you can appoint a new, dedicated DPO or you can contract out the role to an external supplier. With the correct tools and backing, for example using a Privacy Management System such as PrivacyEngine, it is simple for an internal member of staff to take on this role and feel fully supported.
Answers to further FAQs on the role and responsibilities of DPOs can be found here http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_annex_en_40856.pdf
Questions to ask…
When the legislation comes into force next year, it will be too late to consider whether you should be taking steps to ensure that you are protecting individuals’ privacy as the ICO will be empowered to take action from 25 May 2018. There is no grace period, and it is our expectation that they have some companies in their sights already.
To avoid problems down the line, take some time to sit down with your DPO and ensure that you know the answers to the following:
- What personal data do we hold? On customers, suppliers and employees.
- Of that data what is personal and what is sensitive?
- How much of that personal and/or sensitive data do we justifiably need?
- What are the processes for safeguarding access to personal and sensitive data?
- How do we dispose of data we no longer need?
- Are we able to evidence our processes and provide an audit trail?
- Are we clear on whether we need to undertake a Data Protection Impact Assessment?
- What is the process for notifying the Board following a breach?
- Do you feel able to execute your role without fear of penalty?
- Do you have sufficient access to Board members to execute your role?
- Are you sufficiently integrated within the practices of the company’s departments to gain sight of any issues?
- Are you happy with your name being shared publicly as the contact for subject access requests?
Asking these questions is the first step towards safeguarding your and your company’s reputation so don’t delay.