05 Jan 2018
GDPR
We recently provided a summary to our clients as to what steps they need to consider to prepare for the General Data Protection Regulations (“GDPR”)
Many organisations, both large and small will find this a complex issue to consider, so we wanted to break it down for you!
This initial piece includes answers to questions that are frequently being put to us.
Do I need to appoint a Data Protection Officer?
Some organisations are legally required to appoint a Data Protection Officer.
When does a Data Protection Officer need to be appointed under the GDPR?
A DPO must be appointed if:-
Regardless of whether the GDPR obliges you to appoint a DPO, all organisations will have a legal responsibility to ensure that they have the skills and ability within their organisation to discharge the obligations imposed by the GDPR.
What is a DPO required to do?
The GDPR provides that the DPO’s minimum responsibilities are:-
No formal qualifications are required for the role, but whoever fulfils the role must have professional experience and knowledge of data protection law proportionate to the type of data processing carried out by your organisation.
Many small organisations are not obliged to appoint a DPO. However, the obligations under the GDPR are still imposed upon that organisation and they must ensure that they comply with all of the requirements of the GDPR.
Once you have considered whether or not you are going to appoint a Data Protection Officer (“DPO”) you will need to decide who will take responsibility for data protection.
I am aware of the GDPR coming into force, what steps should I take immediately?
The GDPR is all about ensuring business handle data properly and are accountable for ensuring that data is processed fairly and lawfully with regard to data subjects’ rights. To ensure that you can comply with your responsibilities to ensure that data is processed fairly and kept secure then, as an organisation, you need to understand what data you are actually processing. Remember, includes the storage and destruction of data. This may require a detailed internal audit/assessment of the date used and stored by you.
For example, almost all organisations will process data through its own internal computer systems. However, organisations need to think how else they process and hold data. To put this into perspective:-
As part of you discharging your obligations under the GDPR, you need to work out where all the personal data processed by your business is being held and then work out systems to ensure that you are accountable for that data. This task, in itself, is likely to take some time.
We will talk more about your obligations in relation to personal data, wherever it may be held, in subsequent bite size pieces.
Harding Evans is a trading name of Harding Evans LLP, a limited liability partnership, registered in England & Wales (registered number: OC311802), authorised and regulated by the Solicitors Regulation Authority (SRA number: 419663).