GDPR workshop: What is a DPO and do I need one?
As we’ve discussed in our other videos in this series, GDPR outlined something called a DPO, so what is this and do I need one?
GDPR introduces a set of standards that we must work to if are collecting, storing and using our contacts private data. In this instance we are looking specifically at how GDPR applies to email marketing.
In order to ensure that your organisation is successfully implementing and following everything that this new regulation requires, GDPR has the inclusion of a Data Protection Officer – or DPO.
The DPO will be the person in your organisation responsible for ensuring that your company is fully complaint at all stages.
Ok, so next, lets look at what are the main areas of responsibility for the DPO:
- Collection of Data: All email addresses must be collected using a positive action, i.e the contact has put a tick in a box and asked to be added to your database.
- Outlining usage of data: The DPO must ensure that all of your contacts are aware of exactly what they are signing up for. This could be included as a statement at the time of data capture.
- Storing proof on consent: The company must be able to produce a confirmation of when and how the contact asked to join – if they ask for it.
- Deleting lapsed data: GDPR says that your company must deleted any data if it is not used or the contact has requested their info be deleted. GDPR describes this as “the right to forget”
- Storage: The DPO is responsible for ensuring that any private data does not leave the E.U without the full consent of each person contained within your database. This is especially important if you are using cloud based software – such as email marketing software.
So, does your company need to appoint a DPO?
The ICO says that you need a DPO if:
- You are a public authority, or funded with public money
- Your core activities require large scale, regular and systematic monitoring of individuals (this could include email marketing for example)
So, as in this context we are talking about email marketing, then yes, you will need a DPO as your activities include the processing of private data.
So can the DPO be an existing employee?
Yes, they can. As long as they do not have a conflict of interests. So it can’t be your marketing director who also processes your data for example.
Can we contract out the role of the DPO?
You can contract out the role of DPO externally, based on a service contract with an individual or an organisation.
It’s important to be aware that an externally-appointed DPO should have the same position, tasks and duties as an internally-appointed one.
Can we share a DPO with other organisations?
You may appoint a single DPO to act for a group of companies or public authorities. They just need to be able to carry out their tasks effectively without being overstretched between lots of companies.
Ok, so there we are. We’ve looked at what a DPO is, what their responsibilities are, do you need one and who can be a DPO.