In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data Protection Officer (DPO).
In this article, you will find answers to questions like who is a DPO, which companies need to appoint one and what are the DPO-s responsibilities.
Data Protection Officer by definition
The UK’s independent authority ICO.org gives a great definition of who a DPO is:
“DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.”
Wikipedia goes even deeper and specifies that:
“The DPO ensures, in an independent manner, that an organization applies the laws protecting individuals’ personal data. The designation, position, and tasks of a DPO within an organization are described in Articles 37, 38 and 39 of the EU General Data Protection Regulation (GDPR).”
To put into human language the DPO is a person in your company whose responsibility is to make sure that the company is GDPR compliant.
Important to know:
The DPO must have the autonomy and independence to perform his functions. Therefore, it has to be decided whether DPO’s functions can be assigned to an existing employee or to an external specialist.
If the DPO position is appointed to an existing employee, he or she is allowed to keep another position within the company but only to the extent that it does not result in a conflict of interest.
This means that the DPO cannot be involved in deciding which personal data must be processed. Thus, the DPO could not be the director of the company, head of operations, finance, human resources, marketing, IT or legal departments.
Appointing a DPO
As described in GDPR.eu, there are three conditions when you are obliged to appoint a DPO:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- processing operations require regular and systematic monitoring of data subjects on a large scale;
- a large scale of special category data and/or personal data relating to criminal convictions and offenses are being processed.
In order for you to determine whether or not to appoint a DPO, you should assess whether it meets the specified conditions. This assessment could be an integral part of an internal data protection audit. The assessment should be a documented conclusion that could also be made available to the supervisory authority if necessary.
Important to know:
Companies which do not fulfill any of the mentioned conditions are not required to appoint Data Protection Officer.
In other words, a DPO is not required to be appointed if:
- personal information is not processed at all or is processed on a small scale.
- the main activities of the company rarely involve monitoring data subjects.
DPO’s role and responsibilities
Since DPO is taking the role of an intermediary between the company and Data Protection Authority, he/she must be easily accessible for the company’s management, employees, the supervisory authorities and data subjects.
Data Protection Officer must be involved in all issues related to the protection of personal data. GDPR Article 39 has specified the primary tasks of a DPO. In short, these are the tasks:
- to inform and advise the controller or the processor and the employees who carry out the processing of their obligations;
- to monitor compliance with GDPR and local data protection provisions. Also, compliance with the internal policies, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits;
- to provide advice regarding the data protection impact assessment (DPIA) and to monitor its performance pursuant to Article 35;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, regarding any other matter.
When performing tasks, DPO must be aware of the risk associated with processing operations. Also, DPO must consider the nature, scope, context, and purposes of the processing.
DPO should prioritize and focus on riskier activities. For example, in situations where special category data is being processed, or where the potential impact on individuals could be damaging. Therefore, DPOs should provide risk-based advice to your organization.
If the company decides not to follow the advice given by the DPO, the reasons must be documented in order to demonstrate accountability.
The GDPR Data Protection Officer is a key figure in the updated data management system. Not only does he/she help to comply with the requirements, but he also acts as an intermediary in the relationship between the company, the supervisory authority and the data subject.
Therefore, the Data Protection Officer must be appointed with careful consideration of all the operations within the company.
However, even though the role and tasks of a DPO are crucial to the company, it is important to know that the DPO is not personally liable for data protection compliance. It remains the company’s responsibility to comply with the GDPR.
If the company decides not to appoint a DPO when it’s required, it might cause non-compliance and the company might face GDPR fines that can go up to 20 mln EUR or 4% of global turnover.
More on this topic:
Records of processing activities in GDPR Article 30
What are the GDPR fines for non-compliance?