Who is a Data Protection Officer [Role and responsibilities]

Who is a Data Protection Officer?

Data Protection Officer (DPO) is a new leadership role that is created with the enforcement of the General Data Protection Regulation (GDPR).

The DPO is a cornerstone of accountability, a role that can facilitate compliance and competitive advantage for businesses.

In addition to facilitating compliance through accountability tools- like data protection impact assessments (DPIA) and carrying out audits, DPO acts as an intermediary between relevant stakeholders.

DPO also oversees the data privacy and data protection policies to ensure the operationalization of those policies through all organizational units and makes sure the organization processes personal data in a compliant way.

Your DPO should operate independently, with full support from upper management and the Board, and have access to all needed resources to do the job according to best practices.

Check out our short video for a better insight into the role of Data Protection Officer:

What is Data Protection Officer’s role?

DPO is obligated to monitor internal compliance and ensure that the company or organization processes personal data in compliance with data protection laws.

Data Protection Officer should cooperate with organizational units involved in processing personal data, like Marketing, HR, or Legal.

The DPO is usually an IT professional or legal expert, not both. Therefore, cooperation is essential because it is almost impossible for one person to have continuous insight into the regulatory segment and the data segment of all business processes.

DPO tasks and responsibilities under the GDPR

The GDPR sets minimum responsibilities for a DPO that revolve around supervising the implementation of a data protection strategy, assuring compliance with GDPR, and other applicable data protection laws.

A data protection office is a busy place with an extensive set of responsibilities, and Article 39 of the GDPR outlines the DPOs’ core activities, tasks, and responsibilities:

• Inform and advise the company (data controller or data processor) and employees how to be GDPR compliant and how to comply with other data protection laws
• Manage internal policies and make sure the company is following them through
• Raise awareness and provide staff training for any employees involved with processing activities
• Provide advice regarding the data protection impact assessment and monitor its performance
• Give advice and recommendations to the company about the interpretation or application of the data protection rules
• Handle complaints or requests by the institutions, the data controller, data subjects, or introduce improvements on their own initiative
• Report any failure to comply with the GDPR or applicable data protection rules
• Monitor compliance with GDPR or other data protection law
• Identify and evaluate the company’s data processing activities
• Cooperate with the supervisory authority
• Maintain the records of processing operations

DPO is not personally responsible for the GDPR compliance of the organization, it is always a controller or the processor who is required to demonstrate compliance.

The controller or the processor is obligated to provide all necessary tools, resources, and personnel to enable DPO to perform tasks.

Qualifications of Data Protection Officer

When appointing a DPO, you will want to consider expert knowledge, professional qualities, and the candidate’s ability to perform the role of a DPO.

Most commonly, DPO is an IT professional (Security) or an expert with a legal background, but this is not the rule.

DPO should also be a person who is familiar with the business and day-to-day operations that an organization conducts with an emphasis on data processing activities.

GDPR does not specify exact qualifications for the Data Protection Officer, and there are no official certificates.

However, certain organizations provide training and education, like the International Association of Privacy Professionals or IAPP that is considered valued in the data protection community.

We can expect the EU will create standards and certifications that will provide training, programs, and exams that will create appropriate expertise levels to perform the role of a DPO.

The GDPR states that the favorable qualities of a DPO would be expert knowledge of data protection law and practices and the ability to fulfill his tasks.

There should also be a division of responsibilities between DPO and other organizational units. If not, the DPO will face the impossible challenge of overseeing all business processes.

DPOs’ place in the organization

DPO should be an integral part of your organization and report directly to the highest management level, with access to the data processing activities to truly ensure compliance, propagate data protection measures, and perform assigned duties independently.

Organizations are obligated to ensure that the DPO is involved properly and in a timely manner on issues related to the data processing activities within the organization.

• Organizations are obligated to ensure that the DPO is involved, properly and on time, in all issues related to personal data protection.
• Organizations should support the DPO in performing tasks by providing resources, access to personal data and processing operations, and maintaining expert knowledge.
• Organizations should not instruct the DPO on how to carry out tasks.
• DPO can not be penalized or dismissed for performing tasks.
• The DPO reports directly to the highest management level.
• Data subjects may contact DPO about all issues related to processing of their personal data and the exercise of their rights under the GDPR.
• The DPO is bound by secrecy or confidentiality concerning the task performance.
• The DPO can fulfill other tasks and duties, as long as they do not result in a conflict of interests.

You can read more about it in the Report on the status of Data Protection Officers.

DPO Requirements and job description

The DPO requirements can vary depending on the needs and specific circumstances of the industry, workplace, and environment.

You should opt for a professional with a certain level of knowledge and expertise in data protection laws.

Understanding how your business operates can help enormously. However, we find these requirements to be the most common:

• Background and expertise in legal, data compliance, audit, or IT security
• Knowledge of data protection legislation, particularly GDPR and similar national laws
• Relevant work experience of monitoring compliance with regulatory requirements and engaging with regulatory bodies
• Experienced in the operational application of privacy law
• Familiarity with computer security systems
• Experience in managing data breaches
• Experience in cooperation with supervisory authorities of any kind
• Understanding the environment in which business operates and associated data protection risks
• Experience in conducting data protection impact assessments
• Understanding GDPR requirements
• Find out what are DPO requirements in your country.

Nowadays, a lot of big companies and small businesses need a qualified and skilled DPO. But it is also important for a Data Protection Officer to find an employer who will fit their needs.

On job search websites, like Jooble, you can find a huge variety of vacancies from different companies to choose from. And no matter on which step of your career ladder you are – you can always find your place and move higher.

Which tools does a DPO need?

Without an effective tool, it is highly unlikely (or should we say impossible) for a DPO to understand and monitor all data processing activities, data deletion schedules, and fulfillment of data subject rights. Learn how DPO software can help you.

It is a company’s responsibility to ensure that the DPO can do the job efficiently.