Under the EU GDPR (General Data Protection Regulation), which came into force on 25 May 2018, certain organisations are required to appoint a DPO (data protection officer). An organisation is required to appoint a designated DPO where it is a public authority or body, or where its core activities consist of either:
- Data processing operations that require regular and systematic monitoring of data subjects on a large scale; or
- Large-scale processing of special categories of personal data (‘sensitive data’) or personal data relating to criminal convictions and offences.
The GDPR is explicit about the tasks that DPOs are required to perform. They include:
- Informing and advising the organisation and its employees of their data protection obligations under the GDPR;
- Monitoring the organisation’s compliance with the GDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits;
- Advising on the necessity of DPIAs (data protection impact assessments), the manner of their implementation and outcomes;
- Serving as the contact point to data protection authorities for all data protection issues, including data breach reporting; and
- Serving as the contact point for individuals (data subjects) on privacy matters, including subject access requests.
All organisations are required to register their DPO with their supervisory authority, which in Ireland is the DPC (Data Protection Commission). The DPC has released an online registration form to assist companies.
Benefits of an external DPO
Many organisations, particularly smaller ones, may find that the DPO’s responsibilities are a challenge to deliver, given the breadth of knowledge required of data processing and data security operations. The GDPR allows organisations to outsource the DPO role to an external provider.
Outsourcing DPO tasks and duties to a managed service provider means you get access to expert advice and guidance that helps you address the GDPR’s compliance demands while staying focused on your business activities. Benefits of outsourcing the role include:
- A practical and cost-effective solution to achieve GDPR compliance;
- Access to independent DPO expertise not available internally;
- No conflict of interest between the DPO and other business activities;
- Application of best practice in achieving and maintaining GDPR compliance;
- Cost-effective compared to an internal appointment; and
- Access to GDPR training and compliance solutions.