Data Protection Officer – Role and responsibilities

Data Protection Officer (DPO) is a new leadership role that is created with the enforcement of the General Data Protection Regulation (GDPR)

DPO is a cornerstone of accountability and appointing a DPO can facilitate compliance and competitive advantage for businesses- highly attractive traits.

The GDPR sets minimum responsibilities for a DPO that revolve around supervising the implementation of a data protection strategy, assuring compliance with GDPR, and other applicable data protection laws.

DPO also oversees the data privacy and data protection policies to ensure the operationalization of those policies through all organizational units and makes sure the organization processes personal data of data subjects (employees, customers, and other individuals) in a compliant way.

Article 39 of the GDPR outlines the DPOs’ core activities, tasks, and responsibilities:

• Inform and advise the company (data controller or data processor) and employees how to be GDPR compliant and how to comply with other data protection laws
• Manage internal policies and make sure the company is following them through
• Raise awareness and provide staff training for any employees involved with processing activities
• Provide advice regarding the data protection impact assessment and monitor its performance
• Give advice and recommendations to the company about the interpretation or application of the data protection rules
• Handle complaints or requests by the institutions, the data controller, data subjects, or introduce improvements on their own initiative
• Report any failure to comply with the GDPR or applicable data protection rules
• Monitor compliance with GDPR or other data protection law
• Identify and evaluate the company’s data processing activities
• Cooperate with the supervisory authority
• Maintain the records of processing operations

DPO is not personally responsible for the GDPR compliance of the organization, it is always a controller or the processor who is required to demonstrate compliance.

GDPR does not specify exact qualifications for the Data Protection Officer, and there are no official certificates.

However, there are certain organizations that provide training and education, like the International Association of Privacy Professionals or IAAP that are considered to be valued in the data protection community.

DPOs’ place in the organization

DPO should be an integral part of your organizational structure and report directly to the highest management level, with access to the company’s data processing activities to truly ensure compliance, propagate data protection measures and perform assigned duties independently.

Companies are obligated to ensure that the DPO is involved properly and in a timely manner on issues related to the data processing activities within the organization.

There should be no conflict of interest between the DPO responsibilities and duties, and other duties within the organization.

Therefore, it is advised that the DPO should not operate any other role in the organization.

As a company, you can choose and appoint a DPO among the existing employees or you can outsource the role with an external DPO.

If your organization does not require a full-time DPO, you can appoint a DPO that can work half time as a DPO and half time in another role, provided that those roles are not in conflict with one other.