“Just wanted to say thanks for all the effort and support you provided last week. If they ever introduce an Olympic event for ploughing through excessive bureaucracy you’d be a dead cert for gold”
With only about six months until GDPR comes into force, there is still a lot of confusion. Amongst the multiple articles, recitals and subsections of the EU document, is legislation designed to protect individuals’ privacy and security. Unfortunately, it’s buried in confusing jargon. It’s no wonder organisations are worried about whether they are on track to be ready.
Many businesses are still trying to get to grips with whether they are data controllers or data processors (or indeed, both). We also keep reading articles that suggest every organisation needs to appoint a data protection officer (DPO). If that were the case, the world really would have gone mad.
A lot of the confusion arises from unclear guidance. That’s why, even at this late stage in the process, businesses are frantically trying to clarify what they need to do. People who are already employed with the title of data protection officers are concerned that their currently skill set doesn’t meet the new requirements and are being urged to change their job titles if indeed they don’t – A good move…… Expensive consultants are jumping onto the bandwagon, selling their services as outsourced DPOs.
Let’s be clear on this point: a data protection officer is only a requirement in certain cases.
A DPO is mandatory if you:
• Are a public body (excluding courts acting in their judicial capacity)
• Carry out large-scale, regular and systematic monitoring of individuals
• Process large amounts of certain categories of data or data relating to criminal activity and offences.
If you don’t fall into the above categories, you can appoint someone or designate someone to be your DPO (by another name if necessary), but it’s not compulsory. What is compulsory is meeting your GDPR obligations.