Following the publication of the new General Data Protection Regulations (GDPR) in January 2016, businesses that process personal or sensitive data, or systematically monitor behavior on a large scale, will now need to employ a data protection officer (DPO) to help ensure the security of their data and protect them against the huge financial sanctions that could be imposed upon them under the GDPR.



The GDPR supersedes the Data Protection Directive 1995 and will be enforced on 25th May 2018. However, due to the complexity of the GDPR – and the technical challenges of data security in general – , businesses are urged to begin reviewing their data protection processes and procedures now.  What’s more, the new regulations will apply to any organisation that processes EU citizens’ data – whether or not they’re within the EU.  Although the UK is exiting the EU with GDPR coming into effect, any business that trades in the EU will be bound by the regulations.



GDPR has one main focus: to facilitate a single digital marketplace within the EU where the personal information of EU citizens is governed by one law.  It aims to achieve this by making it easier for EU citizens to manage their personal data and extending the accountabilities on the data controllers and data processors. Businesses will now have to seriously consider how they handle the personal information they possess, what information they retain and how they will accommodate the enhanced rights of individuals under the GDPR. Many business documents will also need to be reviewed to ensure they comply with the new regulations, such as contracts, risk assessments and business continuity plans.  Failure to prepare will expose your business to the huge financial sanctions that could be enforced under the GDPR.

Consisting of over 260 pages, the regulations can be difficult to interpret. Once you do, you will need to assess the impact areas within your business and plan, budget and resource activities.  You must ensure you have the right decision makers and influences to effect the necessary changes within your organisation. This is quite a significant overhead for any business so you will need someone within your organisation who is capable of working at an operational and strategic level.



Your DPO will require a number of skills to help them deal with the challenges of GDPR compliance. Firstly, they will need to be an expert in data protection and be familiar with the changes in the regulations and their potential impact on your business.  As GDPR is focused on the modern digital age the DPO will need to have worked in an environment where they have rolled out compliant solutions such as PCI DSS or ISO frameworks and understand how to deploy and protect data from a technology prospective as well as a procedural one. The DPO will also need to be able to carry out risk assessments in order to identify which areas of the business are most at risk of non-compliance or a data breach. The DPO will also need to be able to operate at a strategy and operational level reporting and be comfortable reporting to senior managers, directors and key decision makers within your organisation.

It’s important that the DPO is given the freedom and support to carry out their duties unimpeded. They will need to carry out data protection impact assessments, ensure contracts and documentation are up-to-date and ensure the right technical and operational measures are in place. They will also need to be accessible to your customers, staff and the data protection authority if anyone invokes their rights under GDPR.

The DPO has one job: to protect your business from the potentially crippling financial penalties that could be imposed in the event of non-compliance. In order to do this as quickly and efficiently as possible, they will need to fully understand the impact of the enhanced rights of EU citizens and the additional accountabilities and responsibilities on the data controllers and data processors.



There is no doubt that the General Data Protection Regulations will change the security culture within your business, and appointing the right data protection officer to oversee this change and prepare your business for the May 2018 deadline is an essential step towards ensuring full GDPR compliance.


Written by:

Chris Scott

Program Director/Data Protection Officer