Appointing Data Protection Officer might not be the first step for your company to take when it comes to GDPR compliance. Yes – you are likely to need a Data Protection Officer. But it is naive to expect a Data Protection Officer will be able to ensure GDPR compliance from day one.
Which puts you at risk if appointing Data Protection Officer is something you plan doing only on 25th May 2018.
Your Data Protection Officer is primarily in charge of monitoring data protection compliance and training your staff plus communicating with the data protection supervisory authority when necessary. Whereas the last function only becomes relevant on 25th May 2018, the first two should clearly begin earlier. It is hard to imagine adapting all the activities and policies on day one. Equally, it is impossible to train all the management and staff.
Both adaptation and training should start way before said GDPR kick-off date. They may be performed by your Data Protection Officer that has already been appointed, a hired consultant, or an in-house team. But they must start a year or at least months before to be able to guarantee compliance as of 25th May 2018.
Moreover, Data Protection Officer is primarily in charge of ensuring day-to-day compliance in a compliance and policy system that has already been set up. Asking him or her to do the full adaptation package in the scope of their regular duties might miss the point. You should make sure the tasks are clearly understood. Once the adaptation of your processes and internal rules to GDPR has been performed correctly, your Data Protection Officer can comfortably start performing their ongoing activities.