In the second of a series of posts on the General Data Protection Regulation (GDPR), which comes into force from May 25th, 2018, I’m looking at the requirement for firms to appoint a data protection officer (DPO).
Here’s what you need to know:
If you track client data, you need a DPO
GDPR requires all organisations that undertake large-scale systematic monitoring of individuals to appoint a DPO. So, if you are tracking the behaviour of your clients and potential clients – such as how they interact with emails, social media engagement etc – then you need to appoint someone. (And, frankly, if you’re not tracking this type of behaviour, you should be – it’s a vital part of raising AuM.)
Responsibilities of the data protection officer
Your data protection officer is there to inform your firm and its employees about their obligations under GDPR. Other duties include monitoring compliance, managing data protection activities, training staff, undertaking data audits, and dealing with data related enquiries from supervisory authorities, clients and staff.
You must ensure that your DPO has access to the highest management level of your firm, is free to operate independently, and will not be dismissed or penalised for undertaking their role.
Who can be a data protection officer?
GDPR is a little vague on this issue, but it does say that a DPO should have “expert knowledge of data protection law and practices”, although the extent of knowledge required is proportionate to the level of data processing carried out and the amount of data protection that’s necessary.
The role of DPO can be assigned either internally or externally and they are allowed to perform other, unrelated tasks, as long as these do not lead to conflicts of interest.
• You must appoint a DPO if you track client data
• Your DPO has a wide remit, must have access to all management levels, and is protected from dismissal and suspension
• Your DPO can be from inside or outside your firm but must have professional data protection knowledge