Who is a Data Protection Officer?
Data Protection Officer (DPO) is a new leadership role that is created with the enforcement of the General Data Protection Regulation (GDPR).
According to the WP29 the DPO is a cornerstone of accountability and appointing a DPO can facilitate compliance and competitive advantage for businesses- highly attractive traits.
In addition to facilitating compliance through accountability tools- like data protection impact assessments and carrying out audits, DPO acts as an intermediary between relevant stakeholders.
The GDPR sets minimum responsibilities for a DPO that revolve around supervising the implementation of a data protection strategy, assuring compliance with GDPR, and other applicable data protection laws.
DPO also oversees the data privacy and data protection policies to ensure the operationalization of those policies through all organizational units and makes sure the organization processes personal data of data subjects (employees, customers, and other individuals) in a compliant way.
DPO should operate independently, with full support from upper management and board, and have access to all needed resources to do the job according to best practices.
Check out our short video for a better insight into the role of Data Protection Officer:
What is Data Protection Officer’s role?
DPO is obligated to monitor internal compliance and ensure that the company or organization processes personal data in compliance with applicable data protection laws.
DPO is also responsible for demonstrating GDPR compliance and cooperation with the data protection authority.
Data Protection Officer should cooperate with other organizational units that are involved in processing personal data, like Marketing, HR or Legal.
The DPO is usually an IT professional or legal expert, not both. Therefore, cooperation is essential because it is almost impossible for one person to have continuous insight into the regulatory segment and the data segment of all business processes.
DPO tasks and responsibilities under the GDPR
A data protection office is a busy place with an extensive set of responsibilities. Article 39 of the GDPR outlines the DPOs’ core activities, tasks, and responsibilities:
Of course, there is much more to the DPO role than those responsibilities outlined in Article 39, we numbered them below:
- Inform and advise the company (data controller or data processor) and employees how to be GDPR compliant and how to comply with other data protection laws
- Manage internal policies and make sure the company is following them through
- Raise awareness and provide staff training for any employees involved with processing activities
- Provide advice regarding the data protection impact assessment and monitor its performance
- Give advice and recommendations to the company about the interpretation or application of the data protection rules
- Handle complaints or requests by the institutions, the data controller, data subjects, or introduce improvements on their own initiative
- Report any failure to comply with the GDPR or applicable data protection rules
- Monitor compliance with GDPR or other data protection law
- Identify and evaluate the company’s data processing activities
- Cooperate with the supervisory authority
- Maintain the records of processing operations
DPO is not personally responsible for the GDPR compliance of the organization, it is always a controller or the processor who is required to demonstrate compliance.
The controller or the processor is obligated to provide all necessary tools, resources and personnel to enable DPO to perform tasks.
Qualifications of Data Protection Officer
When appointing a DPO, you will want to take into account expert knowledge, professional qualities and the candidate’s ability to perform the role of a DPO.
Most commonly, DPO is an IT professional (Security) or an expert with a legal background, but this is not the rule.
DPO should also be a person who is familiar with the business and day to day operations that an organization conducts with an emphasis on data processing activities.
GDPR does not specify exact qualifications for the Data Protection Officer, and there are no official certificates.
However, there are certain organizations that provide training and education, like the International Association of Privacy Professionals or IAPP that are considered to be valued in the data protection community.
We can expect the EU will create standards and certifications that will provide training, programs, and exams that will create appropriate expertise level to perform the role of a DPO.
The GDPR states that the favourable qualities of a DPO would be expert knowledge of data protection law and practices and the ability to fulfil his tasks.
There should also be a division of responsibilities between DPO and other organizational units. If not, the DPO will face the impossible challenge of overseeing all business processes.
DPOs’ place in the organization
DPO should be an integral part of your organizational structure and report directly to the highest management level, with access to the company’s data processing activities to truly ensure compliance, propagate data protection measures and perform assigned duties independently.
Companies are obligated to ensure that the DPO is involved properly and in a timely manner on issues related to the data processing activities within the organization.
There should be no conflict of interest between the DPO responsibilities and duties, and other duties within the organization.
Therefore, it is advised that the DPO should not operate any other role in the organization.
As a company, you can choose and appoint a DPO among the existing employees or you can outsource the role with an external DPO.
If your organization does not require a full-time DPO, you can appoint a DPO that can work half time as a DPO and half time in another role, provided that those roles are not in conflict with one other.
- The controller and the processor are obligated to ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
- The controller and processor will support the DPO in performing tasks by providing resources, access to personal data and processing operations, and to maintain his or her expert knowledge.
- The controller and processor will not instruct the DPO on how to carry out his or her tasks, they can not dismiss or penalize the DPO.
- The DPO reports directly to the highest management level
- Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under Regulation.
- The DPO is bound by secrecy or confidentiality concerning the task performance
- The DPO can fulfil other tasks and duties, as long as they do not result in a conflict of interests
You can read more about it in the Report on the status of Data Protection Officers.
Guidelines for avoiding conflict of interest with the DPO role are:
- The DPO should not be an employee who is on the short-term contract
- DPO should not report to a direct superior, he or she should report directly to top management or the Board
- DPO should be able to manage his/her own budget
- DPO should not be a controller of the processing activities
- An organization should provide staff and resources so the DPO can execute appointed duties
- The DPO position should have a minimum term of appointment with clearly set out rules for dismissal. In the European Union institutions, that term is between 2 and 5 years and can be reappointed for a maximum of ten years.
- The DPO must have the authority to investigate the processes within the company or organization
DPO Requirements and job description
The DPO requirements can vary depending on the needs and specific circumstances of the industry, workplace, and environment. You should opt for a professional that has a certain level of knowledge and expertise in data protection laws. Understanding how your business operates can help enormously.
However, we find these requirements to be the most common:
- Background and expertise in legal, data compliance, audit or IT security
- Knowledge of data protection legislation, particularly GDPR and similar national laws
- Relevant work experience of monitoring compliance with regulatory requirements and engaging with regulatory bodies
- Experienced in the operational application of privacy law
- Familiarity with computer security systems
- Experience in managing data breaches
- Experience in cooperation with supervisory authorities of any kind
- Understanding the environment in which business operates and associated data protection risks
- Experience in conducting data protection impact assessments
- Understanding GDPR requirements
- Find out what are DPO requirements in your country.
Which tools does a DPO need?
Without an effective tool, it is highly unlikely (or should we say impossible) for a DPO to understand and monitor all data processing activities, data deletion schedules, and fulfilment of data subject rights. Learn how DPO software can help you.
It is a company’s responsibility to ensure that the DPO can do the job efficiently.