If you have a presence in Europe, serve European customers, or use a data center in Europe, you need to follow the General Data Protection Regulation (GDPR). You may need a dedicated Data Protection Officer, whose roles include complying with the GDPR, handling data access requests, educating staff, and liaising with regulators. Here’s what else you need to know.
The GDPR is a European Union regulation that took effect from May 25, 2018. It has legal force in all EU member countries. (At the time of writing, the GDPR’s measures also applied in the United Kingdom through its domestic laws.)
Despite being a European law, businesses outside of Europe may have to follow it. That’s because the GDPR applies in any of three scenarios:
If you’re covered by the GDPR, you must have a data protection officer if any of the following apply:
There’s nothing to stop you from appointing a data protection officer even if the GDPR doesn’t require it. Doing so could make it easier to comply with the GDPR’s wider measures and may be necessary under some other privacy laws.
The GDPR uses the term "Data Protection Officer" rather than Chief Data Protection Officer or Chief Privacy Officer. It's fine to have multiple staff members working on data privacy matters, but you must designate one person as "data protection officer" for GDPR purposes.
The GDPR sets out four specific duties that a data protection officer must carry out.
The GDPR is a lengthy document with extensive requirements. These are some key things your data protection officer must make sure you do to comply:
As with any industry, GDPR covers the way you use and store data about suppliers and customers. However, software development brings specific responsibilities in making sure all your apps or platforms inherently handle data in a compliant way. Your data protection officer will need to push your developers to do the following with your software:
Whoever you appoint as data protection officer must have the skills to carry out the role, most notably having expert knowledge of data protection law.
You can appoint an existing staff member, hire somebody new, or use an outside contractor. It’s fine to share a data protection officer with other organizations such as a sister company or to have a data protection officer who also does other work for you. The key is that no matter what setup you choose, your data protection officer must have the necessary resources, including their time, to fulfill their duties with no conflict of interests.
Your data protection officer must have operational independence. This means you can’t tell them how to do the job and you can’t dismiss them simply for carrying out their duties. You must give them the authority to carry out the role.
As the GDPR is only a few years old, you may want somebody who has experience working on other data privacy matters and risk assessment. Wherever possible, appoint somebody with specific experience with data protection in your industry.
A good data protection officer will also have skills and experience dealing with people and organizations. They must be able to assign and explain responsibilities clearly and develop workable data policies. They’ll also need to deal sensitively with staff and understand your needs and constraints while maintaining their operational independence.
Now the GDPR has been in effect for a few years, many data protection officers have practical experience with ensuring compliance in the real world. Here are a few key tips they’ve shared.
Adrian Leung of Equifax stresses the importance of having “training and systems in place to identify, monitor, and progress [data access requests] centrally and efficiently.”
Dave Swarthout of Monetate says that “someone who is confident that they are 100 percent prepared, might not have spent enough time on the matter and have a false sense of security.”
As more countries and states adopt rigorous privacy laws, having a data protection officer makes business sense, even when it's not a legal requirement. Making sure your business complies with all applicable rules is a specialist, complex task that requires professionalism and expertise. It's also a great signal to customers that take their privacy seriously.