A DPO alone does not protect the company from breaches nor from penalties.
Instead, it is whether a company has operationalised data protection and is able to demonstrate accountability.Luis Alberto Montezuma & Qian Li Loke, IAPP
In this, the fifth of a series of linked articles about Data Protection Officers (DPOs) under the General Data Protection Regulation (GDPR), we discuss how an organisation can implement and maintain a privacy compliance programme when it is not required to appoint a DPO and chooses not to do so voluntarily.
It is important to note, however, that irrespective of whether a DPO is appointed, the maximum financial penalties for breaching the GDPR are the same across the board:
Higher amount – up to €20 million (or sterling equivalent), or 4% global annual turnover of the preceding financial year, whichever is higher. These relate to more serious violations of the GDPR principles, to an individuals rights or transfers of data to third countries.
Standard amount – up to €10 million (or sterling equivalent), or 2% global annual turnover of the preceding financial year, whichever is higher. These involve a violation of the requirements placed on controllers and processors, which include the duties relating to the DPO.
In either case, the reputational damage created by misuse of data can be even more costly.
Complying with the GDPR and the Data Protection Act 2018 (DPA18) is no small measure. In reality, the DPO operates as the central hub from which to disseminate data protection related strategy, communication, or training throughout the organisation. And because the DPO is independent and protected from sanctions for performing their duties, the organisation can be confident that data protection compliance is achieved. This is providing they appoint the right person, of course, and that they act upon any recommendations, advice and guidance being offered.
For companies, charities, and exempt public bodies who do not have a DPO in place, GDPR compliance must be carefully planned and executed. This article lays out how to meet your data protection responsibilities without a DPO and the pitfalls to avoid when putting systems in place.
Key facts for meeting GDPR compliance without a DPO
- In situations where there is no mandatory requirement to appoint a DPO, choosing not to appoint a DPO voluntarily is nevertheless acceptable, despite the DPO Guidelines recommendations to the contrary. Maintain an accurate record of the decision-making process identifying how a DPO is not required, and revisit the issue regularly to ensure that your circumstances do not change.
- Remember, it is always the organisation that is accountable for GDPR compliance. Even without a DPO, companies, charities, and exempt public bodies are still obliged to satisfy all the GDPR requirements, along with any related regulations and national privacy laws. Not doing so will risk severe sanctions.
- Assign somebody with the responsibility to implement and maintain a data protection programme. A key part of their role will involve record keeping and ensuring policies and procedures are regularly updated and followed.
- To achieve compliance, follow each of the GDPR Principles and ensure that lawful conditions to process personal data are always met. Uphold the remaining rights of the data subjects involving overseas transfers and ensure all processing of personal data complies with the requirements of privacy by design and default. Make sure to implement all physical or technological security measures required within the GDPR.
- Take note. when reporting a data breach under the GDPR, the 72 hours clock starts ticking the moment you become aware of the breach.
- If you take your GDPR responsibilities seriously and implement reasonable measures to protect personal data, then the ICO will recognise your efforts. Treat cybersecurity as a boardroom issue, demonstrate transparency and accountability for your customer data and should the worst happen the ICO will not usually have an issue.
- Meeting GDPR compliance obligations not only results in customer confidence, it also assures investors and lenders that your organisation is professional and well-organised.