Data Protection Officer – Role and responsibilities
Data Protection Officer (DPO) is a new leadership role that is created with the enforcement of the General Data Protection Regulation (GDPR)
DPO is a cornerstone of accountability and appointing a DPO can facilitate compliance and competitive advantage for businesses- highly attractive traits.
The GDPR sets minimum responsibilities for a DPO that revolve around supervising the implementation of a data protection strategy, assuring compliance with GDPR, and other applicable data protection laws.
DPO also oversees the data privacy and data protection policies to ensure the operationalization of those policies through all organizational units and makes sure the organization processes personal data of data subjects (employees, customers, and other individuals) in a compliant way.
Article 39 of the GDPR outlines the DPOs’ core activities, tasks, and responsibilities:
- Inform and advise the company (data controller or data processor) and employees how to be GDPR compliant and how to comply with other data protection laws
- Manage internal policies and make sure the company is following them through
- Raise awareness and provide staff training for any employees involved with processing activities
- Provide advice regarding the data protection impact assessment and monitor its performance
- Give advice and recommendations to the company about the interpretation or application of the data protection rules
- Handle complaints or requests by the institutions, the data controller, data subjects, or introduce improvements on their own initiative
- Report any failure to comply with the GDPR or applicable data protection rules
- Monitor compliance with GDPR or other data protection law
- Identify and evaluate the company’s data processing activities
- Cooperate with the supervisory authority
- Maintain the records of processing operations
DPO is not personally responsible for the GDPR compliance of the organization, it is always a controller or the processor who is required to demonstrate compliance.
GDPR does not specify exact qualifications for the Data Protection Officer, and there are no official certificates.
However, there are certain organizations that provide training and education, like the International Association of Privacy Professionals or IAAP that are considered to be valued in the data protection community.
DPOs’ place in the organization
DPO should be an integral part of your organizational structure and report directly to the highest management level, with access to the company’s data processing activities to truly ensure compliance, propagate data protection measures and perform assigned duties independently.
Companies are obligated to ensure that the DPO is involved properly and in a timely manner on issues related to the data processing activities within the organization.
There should be no conflict of interest between the DPO responsibilities and duties, and other duties within the organization.
Therefore, it is advised that the DPO should not operate any other role in the organization.
As a company, you can choose and appoint a DPO among the existing employees or you can outsource the role with an external DPO.
If your organization does not require a full-time DPO, you can appoint a DPO that can work half time as a DPO and half time in another role, provided that those roles are not in conflict with one other.
The GDPR (General Data Protection Regulation) outlines six data protection principles that su
What is the ‘legitimate interests’ basis? Article 6(1)(f) gives you a lawful basis for proce
The implications for companies based outside the EU are exactly the same as those for EU countries,