Oliver Price's Weekly GDPR Blog #6 - Call the Data Police!

One of the biggest changes in the General Data Protection Regulation (GDPR) coming into force on 25 May 2018 is whether organisations need someone internally to police compliance. That person is called a Data Protection Officer (DPO) and their role is significant. I blog on when a DPO is required. Next week, as there is quite a bit to it, I will blog on what the DPO role entails.
Experts and speakers are mostly reporting a requirement for a DPO that is now nearly a year out of date. On 13th December 2016 the EU organisation amusingly called the “Article 29 Working Party” effected a change so that it is no longer the old requirement about 250 employees or more.
The basis for the requirement is now going to be: 
1.Public authorities – that includes National, regional and local authorities but the Government can decide to relieve a parish council of this (and I would expect either that it will or that umbrella arrangements will require local authorities to cover parish councils); 
2.Organisations whose core activities require regular and systematic monitoring on a large scale; and 
3.Organisations processing special categories of data and criminal conviction data.
Many organisations are not affected by categories 1 or 3 but many might be by 2 above. For example is your marketing department profiling large data sets for selling purposes? Do you hold “big data” eg telemetatic tracking of your vehicle fleet? Whilst it appears that having an in-house HR department is probably not going to mean you come under the same heading, it is easy to miss this.
For reasons I will explain next week, I have encouraged my firm to appoint a DPO. If I am not too careful I could be that person!
Friday 10 November 2017
Data Protection

Last updated 13/11/2017