This is a tricky question for organisations, especially as few are likely to have employees with the qualifications or the experience to take on these extra responsibilities…even if they have the time to do so.

So, it’s not surprising that for many the default answer is to do nothing. But we believe organisations should think carefully about what the General Data Protection Regulation means for them before putting the issue in the “too difficult” box.

Do we really need a DPO?
Firstly, it’s true that many organisations won’t need to appoint a DPO. Under the GDPR, there are three criteria which mean you don’t have a choice;

i) If you’re a public authority
ii) your core activities include large scale monitoring
iii) your core activities include processing sensitive personal data.

What if you are a borderline case?
Often, the answer may not be clear cut. Plenty of organisations will carry out some monitoring or process some sensitive personal data, and it won’t be obvious whether this is significant enough to be captured by the new regulations.

In such cases, the safe approach is to appoint a DPO – and in any case, once you have considered the issue, the Regulation requires you to document the decision-making process.

But, even if it is not mandatory, it is obviously good practice to ensure the organisation has a clear point of reference for data protection issues. In our experience, it is highly unlikely that the GDPR’s underpinning principle of ‘Privacy By Default’ will be achieved by committee.

And it’s essential to plan for what would happen in the event of a data breach.

Statistically, organisations should expect this to happen. Clear ownership of an Incident Response Plan will enable you to react more quickly if the worst happens. It will also demonstrate that you took reasonable precautions to protect yourself and limit damage. Ultimately, this is what the regulator will look at in assessing any fine.

Do I need an EU Representative?
The GDPR requires an organisation to appoint an EU Rep if they provide goods and/or services in the EU but do not have a corporate office there. The EU Rep will act as the organisation’s contact person for data compliance issues and keep a record of the data processing activities in the EU.

Who can act as DPO or EU Rep?
A DPO or EU Rep should be able to
• act independently
• have expert knowledge on data protection law and
• be able to report issues to the most senior level of management.

Regulators recognise that many organisations will not have the resources – or the need – to appoint a dedicated DPO or EU Representative. They have confirmed that the duties can be outsourced to a third party and, as well as providing a cost-effective solution, this can bring other benefits.

As a managed service, these roles can give even smaller organisations access to world-class expertise that would otherwise be unaffordable. Services can be flexed according to need and can cover a far wider range of issues than a single person could provide.

Deciding how best to respond to the GDPR is challenging, and we understand the temptation to deal with it tomorrow. We’ve worked with organisations of different sizes identify solutions that fit their needs, so have a chat with us today and find out how we can help you.

Full Frame Technology has experienced individuals who fulfil the above criteria and have over 25 years of legal service; expert knowledge of data compliance and data breach issues and experience of dealing with EU Regulators by way of a service contract for such appointments.

Do please contact us if you would like assistance in considering this question further or if you would like to learn more about the scope and pricing for DPO or EU Rep services.