We have previously looked at the sweeping changes to privacy laws coming into effect in the EU. These laws will have an impact on a number of Australian businesses. One of the first steps towards GDPR compliance is to identify whether your business is captured under Article 37 and requires the appointment of a Data Protection Officer (‘DPO‘).
Reading this article will give you the option of downloading our free report on DPO, written by Dr. Drew Donnelly, Compliance Quarter. Download our free report for further details on the DPO by following the instructions in the popup box.
Alternatively, you can complete our FREE GDPR Readiness Questionnaire so that we can help you assess where you stand with GDPR and the work required. Our initial assessment and response is free of charge.
Application to Australian Businesses
While the GDPR is a European regulation it applies to an Australian organisation that controls or processes data (and, indeed, any organisation in the world that controls or processes data), where one of three conditions set out in Article 3 are met:
- it has a physical establishment in the EU;
- it offers goods or services to people in the EU; or
- it monitors the behaviour of people in the EU.
In appointing a DPO, the organisation (whether a controller or a processor), needs to consider hiring or contracting an individual capable of carrying out all the specified tasks. The DPO can be internal or external to the organisation.
Tasks of the Data Protection Officer (DPO)
Article 39(1) sets out the tasks that a DPO is required to perform including:
- Informing and advising the organisation of compliance requirements under the GDPR
- Monitoring compliance
- Supporting Data Protection Impact Assessment (DPIA)
- Acting as the contact point with the supervisory authority.
Unless it is obvious that your organisation does not require a DPO, WP29 recommends that you document the internal analysis carried out to determine whether or not a DPO is required to be appointed (Guidelines, 2). Note, even if you are not required to appoint a DPO, it may be a good idea to do so, but keep in mind that if you do so you the role and obligations of the DPO will apply as if the appointment had been mandatory (Guidelines, 2).
For the WP29 Guidance see http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083.
Unsure of your requirements under GDPR? Then talk to us for a GDPR review, we’ll set out your requirements, determine if a DPO is required, and offer our ongoing help to ensure you are ready and compliant.