The UK will still be a member of the EU when the General Data Protection Regulations (GDPR) are implemented in May 2018 which means, of course, that it will be subject to the changes.
This has serious repercussions for all UK Data Controllers and Data Processors alike, and if you haven’t started preparing for this, don’t put it off any longer.
But where do you start? How do you identify what you need to do and begin to understand what the new obligations are?
You may want to consider one element of the new Regulations which is the requirement for a Data Protection Officer to be in post.
This requirement applies to organisations that meet the following criteria:
- That are a public authority or public body
- Have core activities that need regular and systematic monitoring of people on a large scale, such as CCTV and location tracking
- Or process a lot of sensitive information, such as biometric data (i.e. fingerprints and DNA) and data relating to criminal records.
The regulations place a range of responsibilities onto Data Protection Officers which include:
- Carrying out privacy impact assessments, staff training, auditing and giving advice within the organisation, as well as to all individuals whose data is being processed.
Therefore, the person appointed must be impartial, and must be able to give independent advice in the best interests of everyone concerned.
Where previously, in many organisations, the role of Data Protection Officer was appointed as a secondary responsibility at lower or middle management level, the Regulations have turned this around. The position of the new Data Protection Officers under GDPR has risen to being a senior role, now reporting directly to the highest management level or executive board.
In short, the Data Protection Officer must be involved and consulted wherever personal information is being processed.
They cannot be dismissed or penalised for performing their required tasks and should not receive any instruction on what, or how, to exercise those tasks.
Basically, what they say goes.
Appointing a Data Protection Officer is just one of the next steps to getting your organisation “GDPR ready.”
Our GDPR readiness work packages are designed to provide organisations with a full assessment of their readiness for the implementation of the new data protection regulations.
We will provide, amongst other activities, a clear understanding and visibility of an organisation’s current level of compliance, provide recommendations for change, and identify immediate and high impact risk areas to be addressed in the short term.