The General Data Protection Regulation (GDPR) requires that somebody in your company takes responsibility for data protection but we look at whether that means you need to appoint a Data Protection Officer.
What is a Data Protection Officer?
A Data Protection Officer (DPO) is a formal role required by the GDPR as having overall responsibility for compliance. It is a mandatory position for certain organisations such as those processing large amounts of data or organisations subject to Freedom of Information requests.
A DPO has special legal protection and in some ways must act independently of the company so they can whistle-blow without fear of being disciplined. They must not have any responsibilities for privacy management systems in your company – they’re supposed to be able to audit your systems and identify where you need to improve.
So does an SME require a DPO?
It is unlikely that a small business is required to have a DPO unless processing large amounts of data. If you are in any doubt, we recommend that you contact the ICO small business line by email here.
Unless you are required to appoint a DPO under GDPR, we recommend you appoint someone who would carry out many of the same tasks and be the ‘go-to’ person in your company but won’t fall under some of the specific issues and requirements in the regulations. They will put the right technical and organisational systems in place to ensure your company meets the principles of the regulations.
This person should report directly on data protection and privacy matters to the senior manager with overall accountability for compliance with GDPR in your company, such as the senior partner or director.
Everyone in your company has a role to play
While identifying leaders is important, everyone in your organisation should understand the role they play in protecting personal information. This includes doing the right things to secure information and ensuring they only access information they really need to do their work. Astrid’s online platform includes a suite of training videos to ensure your employees understand their responsibilities.
Find out more
For further information on appointing the roles and responsibilities for GDPR within your organisation, register for free access to the first two steps in Astrid’s GDPR process here.
Protect your business - become and remain GDPR compliant with Astrid