EU’s GDPR came into effect on May 25, 2018. The primary purpose of GDPR is to define standardised data protection laws for all member countries across the European Union and EEA members. GDPR Art. 37, ”Designation of the data protection officer” outlines that need for a Data Protection Officer(DPO) for organizations that has to comply with the regulations.
When do businesses need to appoint a Data Protection Officer (DPO)?
Under GDPR, any organization, big or small, in EU or outside of EU should compliance with this requirement if the business involves
– Offering goods or services (whether free of charge or not) to individuals in the EU or
– public authorities or
– organizations that engage in large scale systematic monitoring, or
– Organizations that engage in large scale processing of sensitive personal data
If your organization doesn’t fall into one of these categories, then the organization do not need to appoint a DPO.
The controller and the processor can either designate a data protection officer or a group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
The primary role of the data protection officer (DPO) is to ensure that their organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. In the EU institutions and bodies.
Data Protection Officers Profile:
Depending on the organizations size, a Data Protection Officer should be a qualified individual with sound knowledge in Security and Privacy of data. He/she should be well versed in GDPR compliance regulations. A DPO should have thorough understanding of the organizations structures. policies and procedures. He/she should be able to work independently with the top tier management people and should be free to make decisions keeping privacy of data subjects as focus.
Tasks of the DPO:
The DPO has to ensure that the data protection rules are respected in cooperation with the data protection authority (for the EU institutions and bodies, this is the EDPS). In the EU institution and bodies, the DPO must:
- Ensure that controllers and data subjects are informed about their data protection rights, obligations and responsibilities and raise awareness about them;
- Give advice and recommendations to the institution about the interpretation or application of the data protection rules;
- Create a register of processing operations within the institution;
- Ensure data protection compliance within her institution and help the latter to be accountable in this respect.
- Handle queries or complaints on request by the institution, the controller, other person(s), or on her own initiative;
- Cooperate with the EDPS (responding to his requests about investigations, complaint handling, inspections conducted by the EDPS, etc.);
- Draw the institution’s attention to any failure to comply with the applicable data protection rules.
?The violation of the DPO related provisions of the Regulation may cause huge administrative fines (up to 10 000 000 EUR, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher).
Interested in becoming GDPR Compliant? Industry certified professionals at EHR 2.0 can help maintain your business posture. Contact us at 866-276-8309 or firstname.lastname@example.org with any questions or to request a quote.
Latest posts by EHR 2.0 (see all)
- New HHS Fact Sheet on Direct Liability of Business Associates under HIPAA - June 5, 2019
- California Consumer Privacy Act of 2018 – Bill Text - April 4, 2019
- HIPAA Compliance Review Program Launch - March 26, 2019