Today, more than ever, B2B Buyers are demanding a B2C experience. They expect information that is timely, relevant, and personalized. They also expect companies to keep up with new trends […]Read More →
Posted February 4, 2022
Posted February 4, 2022
This is the second post in our series to help businesses prepare for the EU General Data Protection Regulation (GDPR). To learn more, see our previous post, “What GDPR Means for B2B Marketers.”
On May 25, 2018, the EU will begin to put into effect a major change for companies doing business in Europe: the General Data Protection Regulation (GDPR), a regulation that will force many organizations to change the way they handle personal data. With the deadline now just weeks away, it’s important for affected businesses to start making sure they have all the required pieces in place.
One of those “pieces” — one that is raising a wave of questions across the business community — is the data protection officer, or DPO. The EU understands that when protecting data is “everyone’s responsibility,” it’s easy for things to slip through the cracks, so they want certain organizations to assign official responsibility to a single individual.
Before we discuss the DPO requirement, it’s important to determine whether the GDPR applies to you.
The regulation applies not only to businesses in Europe, but to any business that processes and stores personal data of EU residents (not just citizens). “Personal data” is defined as any data that could be used to identify an individual, such as names, email addresses, physical addresses, phone numbers, etc. Keep in mind the regulation covers not only customers, but also employees and contractors.
Article 37 of the GDPR states that a data protection officer is required for organizations that (a) are public authorities, (b) engage in “large scale systemic monitoring,” or (c) process “sensitive” personal data such as criminal records.
Many businesses have questions about what constitutes “large scale systemic monitoring,” as the regulation offers no specific guidance. If you have questions about whether your organization falls into this category, consult your legal counsel.
A data protection officer is an individual authorize d by the organization to act as an independent advocate for compliance with GDPR and for appropriate use and protection of EU data subjects’ information.
The GDPR provides some guidance on whom the organization may choose to serve as its data protection officer:
In Article 39, the GDPR lists some specific responsibilities of the DPO, including
Even if your organization doesn’t fall under the requirements for having a data protection officer (see “Which Companies Need a DPO?” above), you may still want to consider appointing one, for the following reasons:
Finally, having a data protection officer is just good business. Data security is a prime concern for all organizations, and having an individual tasked specifically with securing your data can be a tremendous asset, even if it’s not required.