Choosing a DPO can sound very complicated, but it really isn’t.
If your firm processes or stores large amounts of personal data, and if you have more than 250 employees, you must appoint a Data Protection Officer (DPO) for GDPR compliance. And, even if your company does not require large scale and regular monitoring of individuals, you may still want to have an experienced privacy professional on board, who will ensure company’s compliance with GDPR.
Whatever is the size of your company, the new ‘famous’ GDPR rules apply to your practices and it’s always better to keep them in mind.
Follow our simple checklist below which will give you all the necessary information on appointing DPO and their functions:
- You need to make sure that your future DPO isn’t conflicted by having a dual role of governing data protection and also defining how data is managed.This means that an IT developers, marketing agents, security managers cannot be appointed as a DPO, due to a clear conflict of interest.
- The DPO can be a one person working full time or part-time, or an actual team of people with a specific person nominated as the lead of DPO function. That will very much depend on the workload.
- The DPO role corresponds to the responsibilities of an in-house lawyer. Usually the DPO would have a legal education and a proper experience with data protection. You can appoint the DPO permanently, as an inside employee of your company or outsource one for a fixed period of time. If you have a a group of companies, you may appoint a single DPO to act for each of your company separately.
- The DPO must verify the impact of the envisaged processing operations of personal data and assess the risks of privacy breaches.
- The DPO is an independent agent, acting without instruction from their employer over the way they carry out their tasks. As DPO isn’t personally liable for data protection compliance, he or she cannot be dismissed or penalized for performing their tasks. That’s why you need to be very careful choosing your DPO.
To sum up, it’s important to have a qualified DPO in your team, who will control the way you process your data and increase your chances to never face GDPR fines.
Want to learn more about Made in law or how to incorporate your company in France, contact us!