In the fifth instalment of our GDPR FAQS mini blog series, we begin to consider regulatory concerns that are frequently raised by organisations. In this blog we will discuss whether organisations should nominate somebody to have responsibility for GDPR, even if a formal data protection officer is not required.
Our frequently given response:
A formal data protection officer must be appointed by the following organisations:
- Public authorities except courts acting in their judicial capacity;
- Where the core activities of the data controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
If your organisation doesn’t fall into the categories listed above it is still worth considering appointing a “privacy officer” or similar, or nominating a person within your organisation to have responsibility for data protection and GDPR compliance and queries.
By ensuring your organisation has a point of contact for data protection, you increase the likelihood that subject access requests received by your employees will be forwarded to that point of contact to be dealt with and that breaches committed by employees will be notified to the appropriate person so that, if necessary, the ICO can be notified within the new timescales.
Failure to nominate somebody as your organisation’s internal point of contact could make it more difficult for your organisation to achieve GDPR compliance and understand whether breaches are arising and if so, why and how to prevent them.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.