On 25 May 2018, the General Data Protection Regulation will come into effect. Even though the GDPR does not specifically require the appointment of a DPO for all organisations, it is highly encouraged by the European Article 29 Working Party (WP29) as a matter of good practice and to demonstrate compliance. Taking this into account, we look at the main tasks and mission of a data protection officer, should your organisation decide to appoint one.
A data protection officer’s primary goal will be to assist during the implementation project for the GDPR. They will have to give advice, information and recommendations when necessary.
The data protection officer needs to eat, sleep and breathe data protection, and be aware of risks at all times. The Regulation sets out the main tasks of the DPO, which include:
- Informing and advising organisations and their employees to help them comply with the GDPR and other data protection laws
- Monitor the organisation’s compliance in relation to the GDPR
- Manage internal data processes – ensure they are carried out correctly
- Train staff who are involved in handling personal data
- Advise on data protection impact assessments, and monitor performance and compliance
- Register and actively engage with the Office of the Data Protection Commissioner in Ireland or the relevant supervisory authority in other EU countries
- Manage queries regarding data protection, consent withdrawal, the right to be forgotten, etc.
Even though a data protection officer can perform other tasks, they have to be involved in all issues related to personal data protection. They have to be independent, can never be in a conflict of interest, and must always be allowed to act independently of the company’s interests.