GDPR: 9 Months To Go


The newly created role of Data Protection Officer will be critical for any firm affected by the new EU regulation.


The countdown to May 2018, when the EU's new legislation will change the way businesses deal with data privacy forever, has reached 9 months.


One of the first, and most important, acts of preparation for affected firms should have been to employ a Data Protection Officer (DPO). The Information Commissioner’s Office (ICO) states that a DPO must be appointed if you:


are a public authority (except for courts acting in their judicial capacity);

carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking);

carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.


For digital marketers, point two is especially pertinent and likely to apply.


Has your firm already hired a GDPR specialist, or recruited from within? If not, the clock is ticking. Even if you don't think your organisation requires a DPO, it will still need to ensure that it has “sufficient staff and skills to discharge [its] obligations under the GDPR.”


Vuture needs your GDPR questions!


Bringing in our Information Security Officer, Gareth, to directly handle GDPR compliance was one of the first moves we made after the legislation was officially announced.


As a GDPR Guru™, Gareth is encyclopaedically versed in all things infosec, and has kindly agreed to take part in the very first Vuture podcast, or Vuturecast, which will take the form of a Q&A on the GDPR.


The Q&A will focus on the impact of the legislation on marketers, and we’re urging you to participate in advance by sending in questions for Gareth to answer during the event in late September.


Submit your questions here.


The duties of the DPO


What is your DPO responsible for? This is what the ICO has to say:


On the DPO’s responsibilities...


As a bare minimum, DPO’s are required to:


  • Inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
  • Monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits.
  • Be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers, etc.).


On an employer’s responsibilities...


Employers must ensure that:


  • Their DPO reports to the highest management level of your organisation – i.e. board level.
  • Their DPO operates independently and is not dismissed or penalised for performing their task.
  • Adequate resources are provided to enable DPOs to meet their GDPR obligations.


On the role of DPO being allocated to an existing employee...


This is possible if the employee’s duties are compatible with the duties of the DPO and there is no conflict of interest.


The role of DPO can also be contracted externally.


On the DPO needing specific qualifications...


The only requirement is that they have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.


Could you identify the DPO at your organisation? Digital marketing should be one of their chief concerns, so if they haven’t made themselves acquainted yet, it's something you may want to consider chasing up.


Do you have a GDPR question that needs answering?


Ask our expert and bask in the brief yet heady period of internet fame that a Vuturecast shout-out will provide:



By Adam Deakin, August 2017