GDPR Q&A: The role of the data protection officer (DPO)

Following the third webinar in our EU GDPR (General Data Protection Regulation) webinar series, which was on the role of the data protection (DPO) under the GDPR, we have complied a list of questions and answers participants asked during the webinar.

In this post, IT Governance’s data protection and information security expert, Adrian Ross, answers your questions and provides further clarification about the role of the DPO under the new Regulation.

In terms of sensitive personal data – do utility bills, driving licenses and passport details constitute sensitive personal data?

Sensitive data refers to personal data like biometric data, or other data to do with health and medical information. The other data – utility bills, licenses and passports – include the sorts of details that we would consider personally identifiable information; from any of those data types you can identify an individual.

If we have EU citizens born in the EU but living in the UK, will the GDPR apply to them or does it only apply if you are in an EU member state?

The UK is a member of the EU. Up until the exact moment that the UK formally leaves the EU, all EU legislation applies in the UK just as it did prior to the referendum. We’re really clear about that; there is no way out of this Regulation. Once Britain formally leaves the EU, it will be subject to the same rules as any other non-EU organisation, and the GDPR applies to any organisation that collects data of EU residents.

Germany has had DPOs for a while, and they are typically contracted rather than employees.

Yes, that’s correct. Germany has had data protection officers for quite a long time now, and German data protection regulations are quite stringent, and more specific and restrictive than those currently in the United Kingdom. That’s a good example of where an organisation that works internationally – operating in the United Kingdom and also in Germany, for instance – has to be aware of all such legislation. Once GDPR applies, there will simply be one set of rules for all organisations everywhere in the EU.

Do you plan to carry out training in any other parts of the UK?

Yes, we do – in fact, we run this training course around the UK and are starting to roll it out through Europe now. We have one training course coming to the Channel Islands shortly, and another in Copenhagen, Denmark. You can find out more about GDPR training courses here.

Is a hospital obliged to contract a data protection officer?

Yes. The health sector is one of the biggest areas of exposure in terms of breaches in the first quarter 2016, and they handle and collect very sensitive information.

Do you see the DPO needing the support of a team and, if so, what do you expect the size to be (5-10 people)?

The support varies from organisation to organisation. Organisations that are more customer focused will have lots to do regarding citizens of the European Union. The business model can vary in terms of the team, but I think it is not uncommon to see small teams within large organisations.

Is ISO 27001 a good certification for the data protection officer?

Yes, an ISO 27001 certification is a good idea. Most people who are coming on our courses have an ISO 27001 background. In fact, I was talking to a client yesterday and he said that he has done one of the ISO 27001 courses with IT Governance and he cannot understand why people would not do it. It’s so important, and he made the point that it was especially important for his organisation’s reputation – he works with hedge funds and investment banks, and reputation is hard to build but easily lost.

Organisations need to keep in mind that ISO 27001 is the best-practice standard for information security management. By implementing an ISO 27001 ISMS, organisations prove they have taken the necessary measures to protect themselves against a data breach or cyber attack.

To register for the remainder of the series, click here >>

Did you miss our previous webinars? Don’t worry! You can download the presentation slides and watch the webinar recording here >>

You may also be interested in the below products and services

GDPR training courses:

GDPR books and documentation toolkits:


Share now…

Share on Twitter Share on Facebook Share on LinkedIn