Regulatory Strategies19 April 2016 – Exco InTouch, the leading provider of patient engagement and data capture solutions for clinical research and healthcare providers, has today announced the formation of a strategic partnership with Regulatory Strategies, experts in data protection and compliance. This initiative is in response to upcoming reforms that are designed to further strengthen the data protection policies, procedures, systems and controls of UK and other European organizations.


With last week’s finalisation of the new data protection regulation (GDPR) a number of organisations are already addressing the requirement for a mandatory data protection officer (DPO) to provide stakeholder confidence and also to ensure that the migration to the new regime is as near ‘business as usual’ as possible.

The new legal requirement for a DPO

From 2018, data controllers and data processors must designate a data protection officer to comply with the new EU General Data Protection Regulation.   And as the GDPR applies to organisations outside the EU trading with EU citizens, this requirement extends beyond the EU.

Under Article 35 of the GDPR, data protection officers must be appointed for all public authorities, and where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data” (such as that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health etc as defined in Article 9).

Although an early draft of the GDPR limited mandatory data protection officer appointment to companies with more than 250 employees, the final version has no such restriction and most ‘data rich’ organisations will fall into this requirement.

Article 35 does not establish the precise credentials data protection officers must carry, but does require that they have “expert knowledge of data protection law and practices.”  The bar for required expertise is therefore high and expects more than a ‘text book’ approach to data protection.

The GDPR’s recitals suggest the level of expert knowledge “should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”

The data protection officer’s tasks are also specified in the regulation to include:

  • Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws.
  • Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits.
  • Advising with regard to data protection impact assessments when required under Article 33.
  • Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data.
  • Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.

There must be no conflict of interests in the reporting lines or responsibilities of the DPO – it is effectively an independent Board-level reporting function.

The GDPR allows the data protection officer functions to be performed by either an employee of the controller or processor or by a third party service provider – as is the case with Regulatory Strategies and Exco InTouch.  If this model might fit your business we would be delighted to discuss this with you.

To read the Exco InTouch press release click on this link: Data Protection Officer Press Release_13 April 2016

Source:  Regulatory Strategies Ltd