The General Data Protection Regulation (GDPR) is harmonizing data protection law across the European Union (EU). When it takes effect on May 25, 2018, EU citizens will gain more control, privacy, and security over their personal data. Since the GDPR was approved in April 2016, organizations have been working to meet many of the new compliance requirements the GDPR has introduced. One of these new components is a data protection officer (DPO), and this post will examine which organizations are required to have a DPO and what kind of role a DPO should have in an organization.
If you are more interested in a general overview of the GDPR, consider reading this introductory post instead. If you are unfamiliar with some of the GDPR terms, this page is a helpful resource. Now let’s a take a look at the GDPR requirements for a data protection officer.
What is a Data Protection Officer?
A data protection officer works with an organization to ensure data collection processes follow GDPR data protection law and practices.
When is a DPO Required?
A DPO is required only when an organization meets specific circumstances. These are as follows (GDPR Art. 37):
- The organization is processing personal data on a large scale that reveals race or ethnic origin, political opinions, religious or philosophical beliefs, and genetic or biometric data (GDPR Art. 9).
- The organization is processing personal data on a large scale related to criminal convictions and offenses (GDPR Art. 10).
- The data processing is carried out by a public authority or body.
While some companies are required to have a DPO, any controller or processor is able to appoint one.
Who can be a DPO?
The GDPR specifies that the DPO needs to have expert knowledge on data protection law and practices; however the GDPR doesn’t provide any precise credentials the DPO needs to have. The DPO may be a staff member or someone from an external service provider (GDPR Art. 37).
How is an organization supposed to work with a DPO?
Controllers and processors need to keep the DPO up to date with all issues relating to the protection of personal data, and this must be done in a proper and timely manner. Organizations also need to provide the DPO with all the resources they need to maintain their expert knowledge and to carry out their tasks. Data protection officers cannot receive instructions from controllers and processors on how to complete their tasks or be penalized in any way for carrying out their tasks. DPO’s may have additional duties within an organization, but they cannot result in a conflict of interest (GDPR Art. 38).
What will a DPO do?
At a very minimum, the data protection officer will keep controllers and processors informed of their obligations to the GDPR. Additionally, the DPO will monitor compliance with the GDPR and the policies organizations put in place to protect person data. The DPO will also be the point of contact for the supervisory authority, and when requested, the DPO will provide advice regarding the data protection impact assessment (GDPR Art. 39).
Now let’s take a look at data protection officers and JumpCloud.
JumpCloud and Data Protection Officers
JumpCloud does not meet any of the circumstances where a DPO is required; however, because of how seriously we take security and privacy, we have appointed a DPO.
Despite not falling into the specific categories that require a DPO, JumpCloud feels that it is in the best interests of our users to have more resources and expertise on the security and privacy challenges in the modern internet era.
Security and privacy are at the core of Directory-as-a-Service®, and JumpCloud will be GDPR compliant by May 25, 2018. For more information on JumpCloud’s GDPR compliance, please reach out to us. If you’re curious about our comprehensive directory services, consider signing up for a free account. All of our features are available, and your first ten users are free forever.