15 January 2018

My Colleague Anita is dealing with data protection issues for a longer period of time and in December 2017 she has became a data protection officer. Now I am asking Anita about her experiences she has acquired during the course.

Viki: Why have you decided to take the DPO course?

Anita: Soon after the adoption of the General Data Protection Regulation (GDPR) we have started to deal with this topic in the office. We have figured out the GDPR will have an impact on basically all on our corporate clients as if one has employees, it is 100 % that personal data will be processed.

Although we have already gained significant knowledge, our managing partner, Richard encouraged me to deepen it and acquire practical experiences. That is why I have decided to make the GDPR manager – Data Protection Officer course.

Viki: What is the difference between a data protection officer and a lawyer who is specialized on data protection law?

Anita: A data protection officer does not only need legal knowledge but also has to be able to understand all business processes at the company which require the processing of personal data, including information security matters.

As an example, as an attorney who deals with data protection issues I know about what the company needs to inform its employees or clients if he processes their personal data. As a DPO I have to understand and identify the “route” of the collected personal data throughout the company (whether data is transmitted, how long and where is it stored) and what are the security risks on that “route”.

Viki: Have you acquired rather theoretical or practical knowledge on the course?

Anita: Obviously, we had to know the theoretical basics, so we have thoroughly reviewed the GDPR. In fact, as a good advice we were told that if we would like to be DPOs, we should read the GDPR at least 20 times.

However, in the significant part of the course we have learned how to apply the GDPR based on practical examples. For instance, we identified who is who in a data processing activity with multiple actors (eg. if the customer orders a product from our company and it will be delivered by a haulier), how the current data processing activities need to be reviewed and how to make them GDPR-compatible or how the records of data processing activities shall be maintained.

Viki: Which client needs to have a DPO?

Anita: Organizations whose main activity is the regular and systematic monitoring of data subjects (like a security company who operates camera surveillance system) will definitely need to appoint a DPO. Similarly, those companies who are processing sensitive data (eg. health data) on a large scale, like health service providers shall have one.

Of course, based on his own consideration, a company can decide to appoint a DPO to ensure the highest possible level of data protection even if he is not obliged to do so.

During the GDPR-compliance project we are happy to help clients to think over whether is it necessary or worth to appoint a data protection officer.

Anita, thank you for answering my questions.