DPO is an acronym for Data Protection Officer. which is a key appointment within your organisation. A DPO is a person who is given formal responsibility for data protection compliance within an organisation reporting into the CEO. Under the EU’s General Data Protection Regulation (GDPR), some organisations who fall under the requirements will be required to appoint a DPO. When appointed, the GDPR outlines a framework around the roles and responsibilities of the DPO. But it is important to note that not all organisations will have to appoint DPOs and that the DPOs themselves will not personally be responsible for an organisations non-compliance with the GDPR. Data protection compliance is ultimately the responsibility of the controller or processor of the personal data.
What determines the need to appoint a DPO?
You must appoint a DPO if you are a public authority or body, if your core activities involve the relevant and systematic monitoring of individuals on a large scale or if your core activities involve the processing of sensitive personal data. You will not need a DPO if, for example, you:
- Use personal data once or twice a year to promote your local clothes shop
You do need a DPO if, for example, you:
- Process patient data on fertility and genetics for a hospital
- Process personal data linked to people’s behaviour online for advertising purpose
DPO The Role Explained
The DPO must be involved, from the outset, in all issues related to data protection compliance. DPOs must monitor the organisation’s compliance and advise the organisation on data protection issues. They need to carry out data protection impact assessments, if the organisation is involved in high-risk processing activities. The DPO will also serve as the primary point of contact between the organisation and the supervisory authority responsible for implementing the GDPR. As you can see the DPO’s role is extensive, including overseeing data protection activities, devising policies and procedures that will enable an organisation to be compliant with the GDPR, monitoring the implementation of these policies and procedures, ensuring staff are trained in data protection and the GDPR, and handling subject access requests for personal data. If a data breach occurs the DPO is to inform all affected parties and be the point of contact for supervisory authorities. The exact responsibilities of a DPO will vary from organisation to organisation, depending on the collection, storage and processing of personal data taking place. The DPO must have access to the most senior positions in an organisation. They must be autonomous and independent, and they cannot be dismissed for fulfilling their role as DPO.
- The data protection officer shall have at least the following tasks:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
- The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
What are the legal requirements for the DPO role?
- IndependenceThe GDPR requires that the DPO operates independently and without instruction from their employer over the way they carry out their DPO tasks. This includes instructions on what result should be achieved, how to investigate a complaint or whether to consult the ICO. Organisations also cannot tell their DPO how to interpret data protection law.
- No conflicts of interestAlthough the GDPR allows DPOs to “fulfil other tasks and duties”, organisations are obliged to ensure that these do not result in a “conflict of interests” with the DPO duties. Most senior positions within an organisation are likely to cause a conflict (e.g. CEO, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR and head of IT).
What qualifications does a DPO need?
The GDPR does not specify the credentials a DPO should have.
- Level of expertise – an understanding of how to build, implement and manage data protection programmes is essential. The more complex or high-risk the data processing activities are, the greater the expertise the DPO will need.
- Professional qualities – DPOs do not need to be qualified lawyers, but they must have expertise in national and European data protection law, including an in-depth knowledge of the GDPR. DPOs must also have a reasonable understanding of what technical and organisational measures the organisation has in place, and be familiar with information technologies and data security.
In the case of a public authority or body, the DPO should have sound knowledge of its administrative rules and procedures.
Relentless Privacy and Compliance Services provides DPO Services across 6 global regions.