One of the GDPR events we held covered the crucial topic of whether an organisation should hire a Data Protection Officer. A number of professionals from varied backgrounds gathered to listen to a presentation by Paul Jordan of the IAPP.
Throughout the seminar, many of the audience had questions that they wanted Paul’s input on. We have put together a post covering a few that were asked and the responses from our guest speaker.
It is likely that SMEs will struggle more - they don’t have the same level of funds and resources available. Whilst the penalties are relative to annual turnover, the costs involved in hiring staff etc. could really set back small companies if they are subject to GDPR. This said, as has been seen in Germany, smaller businesses can benefit from consultancies that have been set up and offer outsourced GDPR assistance. We can expect to see a similar trend in the UK if consultancies are established.
This is heavily dependent on your situation; if your processes relate to offering goods or services to data subjects in the EU and your core activities consist of processing regular and systematic monitoring on a large scale or special categories including data relating to criminal offences, you are required to appoint a DPO.
When it comes to choosing a candidate to fill the role, in this instance, there is ‘no one size fits all’ in terms of qualifications and previous experience. The individual must build a structure within the organisation and inform what needs to be done. The IAPP offer recognised and thorough ‘GDPR Ready’ courses that give certification and can help your organisation head towards compliance.
Many organisations will need to hire a Data Protection Officer as part of reaching compliance, this appointment does not mean you are immune to being penalised. The DPO is responsible for due diligence and advises what has to be done to be compliant. It is the duty of the Board of Directors to action what has been advised and therefore they will be the accountable party if a breach occurs or there is a failure to protect the data in any way.
If you know that your organisation is subject to GDPR but you are not going to be fully compliant by the deadline of 25th May 2018, there are a few things that you can do to put yourself in a good position.
Actively engage with your Regulator asking questions; it shows that you’re making an effort
Put processes in place that display you are working towards compliance - whether it’s operational or in hiring an individual, the proof is there (this does by no means give you immunity, but you may be given an element of leniency by the Regulator)
If you weren’t in attendance of the event and would like more information about what was covered, as well as access to the presentations slides, you can do so on our recent post.