GDPR (General Data Protection Regulation) is coming. It is inevitable, like drawing the very air you breathe. You will need to make sure you do everything you can to ensure you are prepared for the 25th May 2018 deadline. Failure to do so can have very serious consequences, with fines for businesses across the UK and EU totalling up to 20 million euros per organisation, or 4% of their global annual turnover.
With this in mind, one of the most important things you can think about is who is going to be your data protection officer (DPO). Your DPO will be the champion for all that is GDPR related, they will represent your organisation’s best interests when it comes to data management and will ensure all of your staff are fully-briefed, trained and compliant with the nuances of the legislation.
>See also: The General Data Protection opportunity
This article will explore the reasons why you should appoint a DPO immediately, along with some advice on how to do just that.
#1 – You could be required to by law
Under GDPR, it could be mandatory for your organisation to appoint a DPO. There are specific criteria that determine whether you will need a DPO or not and we have listed them all here:
• If your organisation is a public authority or public body, you will need to appoint a DPO;
• If your organisation monitors and stores data on a large scale. This is a little ambiguous, so we recommend checking the ICO site for more information;
• If the primary activities of your organisation comprise of processing sensitive data such as gender, religious beliefs or criminal convictions and offences.
#2 – They will handle training
Do you lack the headspace to handle GDPR alongside your day-to-day work? A DPO can be a dedicated job role to make sure everybody in your business is trained and up to scratch with the nuances of the legislation. Tasks include, briefing staff about new processes to ensure compliance with GDPR, assisting with training on how to use new security tools or software if they are required, and much more.
It is a tough job, briefing many stakeholders about what GDPR involves and it will require a person with swathes of time and unlimited patience.
#3 – Can help avert costly security breaches
The TalkTalk hack of 2016 is the biggest and certainly most high-profile cyber attack to take place in the UK. 175,000 customers’ personal data was stolen, including bank details and addresses. The attack cost TalkTalk dearly, with the ICO fining them £400,000. Under GDPR, this fine would have increased exponentially with some commentators touting an eye-watering £59 million fine.
With this figure enough to cripple businesses, it is crucial that you protect your business from hacks, and a DPO can help you do just that. As part of their security leadership role, any DPO must prioritise improving your organisation’s cyber-security under GDPR. There are numerous technologies and techniques that you can use to help you do this, such as the latest encryption and security awareness techniques. If you are unsure, we recommend seeking professional help.
#4 – Holds you to account
Like any jury, DPOs are required to remain impartial in their day-to-day role. This means not only do they serve the best interests of your business, they also serve the best interests of GDPR as a whole. If ever there is a conflict of interest, where your DPO may cause considerable damage to your business if you fail to comply with it, your DPO is obliged to report your organisation to the ICO.
This sort of approach acts as deterrent for businesses that fail to adhere to GDPR best practice as they never know what their DPO might do.
#5 – Your business will look good
Privacy is crucial, and that is why the European Parliament moved to ratify GDPR. The legislation was borne from a need to further protect European citizens’ personal data. When you access the Internet and use online services, you share a tremendous amount of information with organisations that can be used and processed in ways you can scarcely imagine.
By complying with GDPR, and talking about it, you will show that you are committed to privacy and security. You will be an organisation that people can trust to manage their data ethically.
Appointing a data protection officer
You should not delay – you should get straight to the business of appointing a DPO for your organisation. The more time you spend thinking about designating a DPO, the less time you will have to become compliant with the upcoming deadline.
If you are unsure on what to do, or how to do it, check out this whitepaper. It contains a host of tips and advice for those that are struggling to wrap their heads about GDPR. It also contains tips on how to appoint a DPO and will help you figure out the kind of person you are looking for.
Sourced by Mike Blackburn, managing director, I-COM