On 25 May 2018, the EU General Data Protection Regulation (GDPR) takes effect, and organisations across the globe will need to comply with a host of new requirements. Even though it’s an EU law, the GDPR applies to any organisation that processes EU residents’ personal data, which includes many businesses in Asia – particularly those that deal with customers and clients online.
It’s easy to understand why some of the GDPR’s requirements are in place, such as essential changes to consent requirements, but others are less obvious, such as the appointment of a data protection officer (DPO).
Many people don’ know exactly what a DPO does or why they are necessary. Indeed, the GDPR mandates that only certain organisations appoint one, so what makes them so important?
A DPO is essentially a compliance officer who, acting independently, reports to senior management on data protection issues and advises employees on how best to keep data safe.
All public authorities and companies that carry out either large-scale systematic monitoring of individuals or large-scale processing of special categories of data need to appoint a DPO. Even if your organisation doesn’t fit this criteria, many experts – including the Article 29 Working Party (WP29) – recommend appointing a DPO anyway as a matter of good practice.
What does a DPO do?
DPOs are responsible for:
- Informing and advising organisations and their employees on how to comply with the GDPR and other data protection laws;
- Monitoring organisations’ compliance in relation to the GDPR;
- Managing internal data processes and making sure they are carried out correctly;
- Training staff who are involved in handling personal data;
- Advising organisations on data protection impact assessments; and
- Managing queries regarding data protection, consent withdrawal, the right to be forgotten, etc.
What makes a good DPO?
The GDPR doesn’t specify the qualifications or experience that a DPO needs, other than broadly saying they should possess expert knowledge of data protection law and practices.
We recommend that DPOs should have significant and evident experience in EU and global privacy law, the ability to draft robust privacy policies and knowledge of outsourcing agreements. A candidate with a legal background or qualification may be well suited to the role.
Given that so much data is processed electronically, a DPO would also benefit from experience in IT operations. However, organisations must remember that the GDPR isn’t just an IT issue and can affect many departments.
Gain the knowledge to become a DPO
If you’re interested in becoming a DPO, you should consider enrolling on our Certified EU General Data Protection Regulation Practitioner (GDPR) Online Training Course.
This course helps you gain a practical understanding of the tools and methods you need to implement and manage an effective compliance framework. It discusses how the data protection principles work in practice, the policies and procedures you need to follow and the steps you need to take to put in place a privacy and information security compliance programme.