FEATURE14 July 2017
Do you need a data protection officer?
x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.
FEATURE14 July 2017
x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.
For some, it will soon be compulsory to appoint a data protection officer. Dr Michelle Goddard looks at which organisations will need to fill this post
As the May 2018 deadline for enforcement of the General Data Protection Regulation (GDPR) approaches, researchers need to think carefully about the actions required to ensure they are on the right compliance track. The GDPR contains some familiar data protection principles, but also introduces concepts that are relatively novel in the UK.
One of these is the compulsory appointment of a data protection officer (DPO) in specific circumstances. In Germany, DPOs are a core feature of the data protection framework, advising on compliance and acting as a contact for the data protection authority and data subjects. With the enforcement of the GDPR, this position will become more familiar across the EU.
Here are some points to consider in deciding whether, how and when you may need to appoint a DPO.
The GDPR obligation applies to all organisations handling personal data (both data controllers and data processors) and the essential test is whether your core business activities involve:
Guidance from the grouping of EU data protection authorities (the Article 29 Working Party) has made clearer the types of businesses that are likely to be affected. Companies processing personal data on a large scale for behavioural advertising, online tracking, fraud prevention, detection of money laundering, administering loyalty programmes, running CCTV systems or monitoring smart meters will be caught by the DPO requirement.
Similarly, in a research context, panel providers, opinion pollsters or audience measurement researchers will almost certainly need to appoint in light of the type and scale of their data collection activities. On the other hand, freelance independent qualitative researchers are unlikely to need to, as the volume of data and number of subjects whose data they process is likely to be relatively small.
If you are uncertain, it may still be useful to designate a DPO as this will assist you in fulfilling the GDPR requirement that firms be accountable, and demonstrate compliance with the key data protection principles. But be careful what you call the role. If a DPO is appointed – even on a voluntary basis – all the statutory protections will apply.
The DPO plays a key compliance role within the organisation and as an accessible contact for individuals and the data protection authority. As part of the role they will be required to:
The appropriate level of expert knowledge relates to the data-processing operations carried out and the level of protection required for the personal data being processed. For example, if the activity is complex, or involves a large amount of sensitive information, the DPO may need a higher level of expertise and support.
Essential skills and expertise to look for include:
Businesses that appoint a DPO must have the necessary resources to fulfil the job and grant the DPO significant independence with a direct reporting line to the highest management level. This is underpinned by statutory protection for their job security that expressly prevents dismissal or other sanctions on grounds that relate to their performance of the DPO tasks.
You can appoint internally or outsource the position. If you choose an internal DPO, they cannot be responsible for tasks that conflict with independence; avoid people in senior managerial or information technology roles.
Transparent and efficient handling of personal data via a DPO can help your organisation gain a competitive advantage, particularly in terms of public perception and reputation. So:
Failure to appoint a DPO, where required, can lead to fines of up to €10,000,000 or 2% of a firm’s worldwide turnover, depending on which amount is higher. Qualified people may increasingly be in short supply, so review your activities and make an early decision.
Dr Michelle Goddard is director of policy and standards at MRS
0 Comments