By Naima Zohair
Assistant Manager – Global Strategy
There is the growing misconception surrounding the need for appointing a Data Protection Officer (DPO) under GDPR which is effective on 25th May 2018. The role of DPO is critical for correct implementation of the newly drafted regulation. Relating to this, the organization needs to ask itself four main questions before appointing a DPO which are:
- Do they even need to appoint a DPO?
- Should they need a DPO anyway for safe measures of compliance?
- Can the role of DPO be outsourced?
- Will the DPO be personally liable?
- When should a DPO be appointed?
I will start by answering the first question. According to article 37(1), GDPR requires data controllers and processors to designate a DPO in any case where:
- The processing is carried out by a public authority or body;
- The ‘core activities’ of the controller/ processor consist of processing operations which ‘require regular and systematic monitoring of data subjects on a large scale’; or
- The core activities of the controller/ processor consist of processing on a large scale of ‘special categories of data’ or personal data relating to criminal convictions and offenses.
As per the definition, private sector companies will not need to appoint a DPO. Majority of the private companies do not engage in monitoring of personal data, therefore in their course of administration, they will not need a DPO. For ready and seamless implementation of the three criteria stated above guidance of Article 29 of Working Party Guidelines on DPO’s issued in 2016 and then 2017 can be sought so that correct measures are taken. [Read more…]