The General Data Protection Regulation (GDPR) brought in extensive and wide ranging changes to Data Protection Law and Regulation. They have imposed significant and wide-reaching legal obligations on both small and large business.

Large businesses may be better able, due to access to larger resources, and internal legal departments, to comply with their legal obligations under the GDPR than smaller businesses.

SMEs (Small and Medium enterprises) may not so easily be able to adjust their internal data protection practices and polices, nor will they be able to consistently keep up with he ongoing obligations under the GDPR.

Do I need a DPO?

Under the GDPR there are certain situations where you must appoint a DPO.

If you are a public authority or body, or if your core activities require large scale, regular and systematic monitoring of individuals, or if your core activities consist of large scale processing of special categories of data (such as medical records) or data relating to criminal convictions and offences, then you must appointed a DPO.

Even if you are not mandatorily required to appoint a DPO you are required to ensure that your business or organisation has sufficient resources to comply with your obligations under the GDPR and the Data Protection Act 2018.

What can a Virtual DPO do?

For SMEs it is often difficult to find someone within your organisation who has the necessary skills and experience to deal with all Data Protection issues, ranging from protecting against data breaches, staff training, to dealing with data access requests.

The GDPR does not require that you recruit someone within your own organisation, but you can engage a DPO on an outsourced service contract. This is where virtual DPOs (vDPO) have come in and they are a common feature in many SMEs.

Back to top button