data protection officer dpo

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data Protection Officer (DPO).

In this article, you will find answers to questions like who is a DPO, which companies need to appoint one and what are the DPO-s responsibilities.

Data Protection Officer by definition 

The UK’s independent authority ICO.org gives a great definition of who a DPO is: 

DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.”

Wikipedia goes even deeper and specifies that: 

“The DPO ensures, in an independent manner, that an organization applies the laws protecting individuals’ personal data. The designation, position, and tasks of a DPO within an organization are described in Articles 37, 38 and 39 of the EU General Data Protection Regulation (GDPR).”

To put into human language the DPO is a person in your company whose responsibility is to make sure that the company is GDPR compliant. 

Important to know: 

The DPO must have the autonomy and independence to perform his functions. Therefore, it has to be decided whether DPO’s functions can be assigned to an existing employee or to an external specialist.

If the DPO position is appointed to an existing employee, he or she is allowed to keep another position within the company but only to the extent that it does not result in a conflict of interest.

This means that the DPO cannot be involved in deciding which personal data must be processed. Thus, the DPO could not be the director of the company, head of operations,  finance, human resources, marketing, IT or legal departments.

Appointing a DPO 

As described in GDPR.eu, there are three conditions when you are obliged to appoint a DPO:

  1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  2. processing operations require regular and systematic monitoring of data subjects on a large scale;
  3. a large scale of special category data and/or personal data relating to criminal convictions and offenses are being processed.

In order for you to determine whether or not to appoint a DPO, you should assess whether it meets the specified conditions. This assessment could be an integral part of an internal data protection audit. The assessment should be a documented conclusion that could also be made available to the supervisory authority if necessary.

Important to know:

Companies which do not fulfill any of the mentioned conditions are not required to appoint Data Protection Officer.

In other words, a DPO is not required to be appointed if:

  • personal information is not processed at all or is processed on a small scale.
  • the main activities of the company rarely involve monitoring data subjects.

DPO’s role and responsibilities 

Since DPO is taking the role of an intermediary between the company and Data Protection Authority, he/she must be easily accessible for the company’s management, employees, the supervisory authorities and data subjects.

If a single DPO role is appointed for the group of companies, then each subsidiary should have equally easy access to the DPO. Therefore, DPO’s contact details must be mentioned in the Privacy Policy and provided to the authorities.

Data Protection Officer must be involved in all issues related to the protection of personal data. GDPR Article 39 has specified the primary tasks of a DPO. In short, these are the tasks:

  1. to inform and advise the controller or the processor and the employees who carry out the processing of their obligations;
  2. to monitor compliance with GDPR and local data protection provisions.  Also, compliance with the internal policies, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits;
  3. to provide advice regarding the data protection impact assessment (DPIA) and to monitor its performance pursuant to Article 35;
  4. to cooperate with the supervisory authority;
  5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, regarding any other matter.

When performing tasks, DPO must be aware of the risk associated with processing operations. Also, DPO must consider the nature, scope, context, and purposes of the processing.

DPO should prioritize and focus on riskier activities. For example, in situations where special category data is being processed, or where the potential impact on individuals could be damaging. Therefore, DPOs should provide risk-based advice to your organization.

If the company decides not to follow the advice given by the DPO, the reasons must be documented in order to demonstrate accountability.

Summary

The GDPR Data Protection Officer is a key figure in the updated data management system. Not only does he/she help to comply with the requirements, but he also acts as an intermediary in the relationship between the company, the supervisory authority and the data subject.

Therefore, the Data Protection Officer must be appointed with careful consideration of all the operations within the company.

However, even though the role and tasks of a DPO are crucial to the company, it is important to know that the DPO is not personally liable for data protection compliance. It remains the company’s responsibility to comply with the GDPR.

If the company decides not to appoint a DPO when it’s required, it might cause non-compliance and the company might face GDPR fines that can go up to 20 mln EUR or 4% of global turnover.

More on this topic: 
Records of processing activities in GDPR Article 30
What are the GDPR fines for non-compliance?

Are you GDPR compliant?

Assess whether you have to comply with the GDPR in the first place and if you do, what is the level of preparedness of the GDPR compliance. Also check out the answers for the frequently asked questions.
Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
DPR software: 10 Great Tools For Compliance in 2024

DPR software: 10 Great Tools For Compliance in 2024

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
The lawful basis for Data Processing under the GDPR

The lawful basis for Data Processing under the GDPR

A lawful (or legal) basis for processing data must be satisfied before a business can process any personal data. Article 6...
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)? A Data Processing Agreement (DPA) is a legally binding document to be entered...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Transmitting personal data to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations. Which...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach?According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that results...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...