The Data Protection Officer (DPO) monitors an organisation’s compliance with GDPR. This involves ensuring the organisation is assigning data protection responsibilities, raising general awareness of GDPR principles, and training staff who are directly involved in processing data. If your business needs to nominate a DPO, consider outsourcing this function. This will be the point of contact for both the Supervisory Authority (in the UK the ICP) and for data subjects.
The DPO must act at arm’s length from the organisation that employs them. This is because their chief priority is to protect EU citizens’ data, and ensure it is not misused by the organisation, so a degree of independence is necessary.
The EU sets out that the DPO “shall be bound by secrecy or confidentiality” in fulfilling their tasks, while the organisation employing them must support them with all necessary resources but cannot give the DPO any instructions about how they go about their tasks.
The DPO also acts as the contact point for the data protection authority – the Information Commissioner’s Office (ICO) in the UK. They would inform the authority of any data breaches their organisation suffers (that affect people’s data), and of any other issues related to personal data processing.
Individuals can also contact the DPO to ask questions about what data an organisation holds on them, or to request that their data is removed or amended.
Without the position of Data Protection Officer, GDPR loses a great deal of transparency. The DPO helps ensure that organisations are complying with the legislation and acts as a central point of contact for the watchdog and citizens, ensuring that any data-related requests can be executed smoothly and quickly, without layers of bureaucracy for people to battle through.
Do you Need a Data Protection Officer?
The short answer is yes, you probably do. The legislation stipulates that a DPO is a compulsory hire for any organisations whose core activities concern data processing that in turn requires “regular and systematic monitoring of data subjects on a large scale“.
In addition, public bodies that collect or process data, and organisations whose core activities relate to processing data concerning ethnicities, religious beliefs, trade union memberships, genetic data, biometrics, sexual orientation and criminal offences and convictions, must appoint one too. The good news for public bodies is that several of them may share the same DPO.
Data Protection Officer Qualifications
Your Data Protection Officer can be appointed from within the company, or he or she can be a fresh hire from outside your company, but they do need to be qualified to hold the position. The GDPR gives organisations a fairly free hand in deeming what qualifications are requisite for the role. It simply states:
“The Data Protection Officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
The DPO should be well-versed in data protection law and how to comply with these rules. They can hold other responsibilities within the organisation, as long as these don’t create a conflict of interest with their DPO duties.