What companies are covered?
If you control, process or monitor personal data “on a large scale” about persons living in the EU and as part of the “core activities” of your business, you must have a DPO. Ditto if your “core activities” are processing of particularly sensitive data such as criminal records.
Do you have to hire a new position? What if you already have a privacy officer?
You don’t have to hire—an outside contractor could do the job.
You could delegate an existing employee if he or she avoids conflicts of interest—a DPO could not also be the head of marketing, HR or IT, for instance or, of course, CEO.
But there are some odd requirements in the regulation that make the role sound more like an ombudsman than an employee. The data protection officer must
What are the duties and job requirements of the DPO?
Monitor compliance with the GDPR and train employees and educate the organization on data privacy. Also, act as liaison with regulatory authorities. And assist with the “data protection impact assessments” that companies must prepare for types of data processing that put the privacy rights of individuals at “high risk” (yes, it’s a bit vague in the regulation). Requirements are “expert knowledge” of the GDPR and enough expert knowledge of data processing to be an effective watchdog.
Are there penalties for failure to name a digital protection officer?
In all likelihood, no EU privacy cops will kick in your door if you don’t name a DPO but it would not look well if you were involved in a serious data breach involving EU citizens.
The bottom line – treat this as an opportunity, not a burden.
Focus on “smart compliance”. A DPO could help organizations cost-effectively prioritize security gaps and choose cost-effective solutions to close those gaps. A risk-aware approach, based on the FAIR quantitative risk analysis model could turn compliance into an opportunity for productive risk assessment with benefits beyond meeting the EU’s new privacy rules. For more on that, read this: 3 Ways FAIR and Quantitative Analysis Can Help with GDPR.