Beverley Flynn reports on the changing status of Data Protection Officers under the EU General Data Protection Regulation.
The EU General Data Protection Regulation (GDPR) is coming to the UK and, with it, the requirement for public authorities and certain other organisations (whether data controllers or data processors) to appoint a data protection officer (DPO) to assist with compliance. Although the use of DPOs is established in certain jurisdictions, the mandatory DPO model is new for the UK.
Whilst some UK organisations have had an in-house voluntary DPO function for some time, the concept of a mandatory officer will be new particularly for small and medium-sized businesses. Businesses that need a mandatory DPO will need to ensure that any existing DPO role is in line with the GDPR requirements. The distinction between a mandatory or voluntary DPO may also mean that it takes some time for the industry to embed these changes and appreciate the value and advantages of each role. In addition, there is potential for more widespread use of external DPOs (either individual consultants or organisations) – again, a concept already used in other jurisdictions.
Click here to read the full article published in Privacy Laws & Business UK Report, issue 89, January 2017