GDPR – FAQs
We recently provided a summary to our clients as to what steps they need to consider to prepare for the General Data Protection Regulations (“GDPR”)
Many organisations, both large and small will find this a complex issue to consider, so we wanted to break it down for you!
This initial piece includes answers to questions that are frequently being put to us.
Do I need to appoint a Data Protection Officer?
Some organisations are legally required to appoint a Data Protection Officer.
When does a Data Protection Officer need to be appointed under the GDPR?
A DPO must be appointed if:-
- they are a public authority;
- the core activities of your organisation consist of processing operations, which require regular and systematic processing of data subjects on a large scale, for example, processing of personal data by tracking users surfing the internet for behavioural advertising by a search engine, or the processing of customer data in the regular course of business by an insurance company;
- the core activities of your organisation involve the large scale processing of special categories of data, for example sensitive medical data, or data relating to criminal convictions.
Regardless of whether the GDPR obliges you to appoint a DPO, all organisations will have a legal responsibility to ensure that they have the skills and ability within their organisation to discharge the obligations imposed by the GDPR.
What is a DPO required to do?
The GDPR provides that the DPO’s minimum responsibilities are:-
- to inform and advise the organisation and its employees as to their obligations to comply with the GDPR and other data protection legislation;
- to ensure compliance with the GDPR and other data protection legislation, including managing internal data protection activities, undertaking data protection impact assessments, training staff and conducting internal audits;
- to be the initial point of contact with supervisory authorities, including the Office for the Information Commissioner and for individuals whose data is being processed.
No formal qualifications are required for the role, but whoever fulfils the role must have professional experience and knowledge of data protection law proportionate to the type of data processing carried out by your organisation.
Many small organisations are not obliged to appoint a DPO. However, the obligations under the GDPR are still imposed upon that organisation and they must ensure that they comply with all of the requirements of the GDPR.
Once you have considered whether or not you are going to appoint a Data Protection Officer (“DPO”) you will need to decide who will take responsibility for data protection.
I am aware of the GDPR coming into force, what steps should I take immediately?
The GDPR is all about ensuring business handle data properly and are accountable for ensuring that data is processed fairly and lawfully with regard to data subjects’ rights. To ensure that you can comply with your responsibilities to ensure that data is processed fairly and kept secure then, as an organisation, you need to understand what data you are actually processing. Remember, includes the storage and destruction of data. This may require a detailed internal audit/assessment of the date used and stored by you.
For example, almost all organisations will process data through its own internal computer systems. However, organisations need to think how else they process and hold data. To put this into perspective:-
- you are likely also have personal data contained in paperwork which may extend to sensitive personal data in relation to your employees stored in hard copy employee personnel files;
- depending on the type of business, you may have information relating to your customers contained on paper files;
- there may be third party providers to your business, for example, payroll organisations, data storage, who have access to personal data relating to your employees and/or customers;
- data may be left on your employees’ desks;
- data may be at your employees’ homes, if they work from home;
- data may be taken out of your premises by your employees, for example, in briefcases;
- information may be held on employees’ personal devices, e.g. phones, tablets and/or home computers.
As part of you discharging your obligations under the GDPR, you need to work out where all the personal data processed by your business is being held and then work out systems to ensure that you are accountable for that data. This task, in itself, is likely to take some time.
We will talk more about your obligations in relation to personal data, wherever it may be held, in subsequent bite size pieces.