The General Data Protection Regulation (GDPR) became fully effective on May 25, 2018.
It places new data protection obligations on companies performing business in the EU including IT security, anonymization, breach notification, and other issues that arise with handling personal data.
The GDPR act includes Data Protection Regulation (EC) No. 45/2001 which requires companies to retain a Data Protection Officer (DPO) to assist in regulatory compliance.
If you perform transactions or sell products or services in the EU, it's likely that you require a DPO in 2018.
This is an overview of this requirement from the GDPR act and how to comply with it so you avoid the steep fines and other penalties arising from the act.
The Data Protection Officer or DPO is an individual designated by a company to assure compliance with the GDPR act. There are no requirements for the experience and education of this individual but a broad description that they have expert knowledge of data security practices.
The duties of a DPO are listed in the Article 39 of the GDPR regulation:
This places the DPO as a high-level legal compliance executive or an expert consultant if hired as an independent contractor.
Since finding the right person or consultant can be a significant time and financial investment, it's important to know whether hiring this individual is mandatory for your company.
If the core activities of your business involve any of the following, you'll need a DPO regardless of where your business is headquartered:
Special categories of data includes data related to sensitive personal information such as political opinions, religious beliefs, sexual orientation, racial or ethnic origin and health data.
Public authorities that process data from EU citizens will always need a DPO.
If you do not handle personal data, the DPO requirement does not apply to you.
Data Protection Regulation (EC) No. 45/2001 defines personal data as:
This definition of personal data is broader than US companies may be used to. So even if you feel all of your systems are in compliance, perform an internal audit.
The data you control may be considered personal under the EU requirements even if it avoids that categorization under the laws of your local jurisdiction.
If anything you collect falls under one of these categories, review the DPO compliance checklist below.
Here's what you can do to comply with the DPO requirements from the GDPR act:
Your app or business may have a greater reach than you realize.
Unless you purposely and directly shutout the EU through your business, consumers from there can still access your products and services. That provides the link between you and the EU that may require compliance with the DPO requirement.
Also, realize that even small companies must comply. During the consideration of the regulation, there was a discussion on limiting the requirement to companies with more than 250 employees.
However, that did not survive the passage of the bill and so, even your recent startup that creates apps needs to consider compliance policies if you market and sell products to the EU - or use the platforms that make that possible.
If the data you collect or process is done on a large scale and falls within one of the categories mentioned above, you'll need a DPO.