GDPR update: Do I need to appoint a Data Protection Officer?
It’s important for all firms to consider the importance of appointing a Data Protection Officer, even if you don’t have to. In certain circumstances, you must appoint a DPO. For instance, virtually all public sector bodies will be required to designate a DPO under the GDPR.
When it comes to the private sector, such as law firms, the GDPR introduces a limited mandatory DPO requirement. Controllers and processors of information will only be required to designate a DPO if their core activities consist of processing operations that require regular and systematic monitoring of data subjects, or processing on a large scale of special categories of data, or data relating to criminal convictions and offences.
If we consider the virtues of a DPO and what the role is really all about, it makes sense for every firm to have a DPO. In short, it’s about having one member of your team who really understands your data and how you process it; the person who knows exactly where everything is stored, who with and why. Leaving the responsibilities to be picked up randomly, or simply not considering your responsibilities, is a sure-fire way of falling foul to one of the requirements under GDPR.
Who should be appointed as DPO?
You may already have a DPO in mind. In all likelihood, it’s probably someone who tells you where you should be saving your data; who reminds you that “we don’t store it there anymore” and where you should be saving it. That same person keeps the filing cabinets tidy and your archiving and destruction process up to date. In truth, they are already fulfilling much of the responsibilities of a DPO but without the title. With the support of the partners to push through any changes required, consider appointing this person as your DPO, as they can then help organise business processes and procedures with GDPR in mind.
Working with your legal software provider to stay compliant
In circumstances where your DPO designate has a good working relationship with your IT provider then putting together your processes will be quite simple – that’s assuming, of course, that your provider has taken the necessary steps to be compliant. Whilst it’s true that GDPR is about more than just saving your data in the right place, most of us retain more data electronically than ever before – and getting that in order will be a great step towards GDPR compliance.
Once you understand how and where your data is stored, you then put the processes together around how you obtain data in the first instance, how that data is treated and processed and, as you’ll already know how it’s stored, that just leaves the final part, which is how and when it’s destroyed. Change can seem daunting or unnecessary but GDPR is real and so are the fines for non-compliance. Now is the time to take a proactive approach and use the introduction of GDPR as the catalyst for improving your data management and recognising your DPO, instead of waiting to see what happens.