The data protection officer (DPO) role under the GDPR
A DPO has formal responsibility for data protection compliance within an organisation.
The appointment of a DPO under the EU General Data Protection Regulation (GDPR) is only mandatory in three situations:
- When the organisation is a public authority or body;
- If your core activities require regular and systematic monitoring of data subjects on a large scale; or
- If your core activities involve large scale processing of special categories of personal data and data relating to criminal convictions.
There is also scope with the Regulation for each EU member state to specify other circumstances in which a DPO needs to be appointed. Data protection laws in Germany, for example, require every organisation with ten or more employees that permanently processes personal data to appoint a DPO. The newly published Irish Data Protection Act 2018 allows the Minister for Justice and Equality in Ireland, in consultation with the Irish Data Protection Commission, to extend the categories of controllers and processors that are required to designate a DPO.
Even where the GDPR does not specifically require the appointment of a DPO, it is highly encouraged by the European Article 29 Working Party (WP29) as a matter of good practice and to demonstrate compliance. It is important to note that an organisation that appoints a DPO voluntarily must still comply with the full range of DPO requirements in the GDPR.
How IT Governance can help you
We have a selection of DPO services that can support your organisations GDPR compliance, no matter how far along you are in your project . Browse our range of GDPR products and services below to find out more, or get in touch with our GDPR team for advice and guidance about the support options.
Shop our DPO products and services
The DPO’s tasks
The GDPR is explicit about the tasks that DPOs are required to perform. They include the following:
- Inform and advise the organisation and its employees of their data protection obligations under the GDPR.
- Monitor the organisation’s compliance with the GDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits.
- Advise on the necessity of data protection impact assessments (DPIAs), the manner of their implementation and outcomes.
- Serve as the contact point to the data protection authorities for all data protection issues, including data breach reporting.
- Serve as the contact point for individuals (data subjects) on privacy matters, including subject access requests.
The GDPR does not specify the precise credentials a DPO is expected to have. However, in its recent published guidelines the WP29 defines certain minimum requirements regarding the DPO’s expertise and skills:
- Level of expertise – understanding how to build, implement and manage data protection programmes is essential. The more complex or high-risk the data processing activities are, the greater the expertise the DPO will need.
- Professional qualities – DPOs do not have to be lawyers, but they must have expertise in national and European data protection law, including an in-depth knowledge of the GDPR. DPOs must also have a reasonable understanding of the organisation’s technical and organisational structure and be familiar with information technologies and data security.
In the case of a public authority or body, the DPO should have a sound knowledge of its administrative rules and procedures.
The GDPR requires that the DPO operates independently and without instruction from their employer over the way they carry out their tasks. This includes instructing the DPO on “what result should be achieved, how to investigate a complaint or whether to consult the regulatory authority”. Nor can organisations tell their DPO how to interpret data protection law.
Although the GDPR allows DPOs to “fulfil other tasks and duties” (Article 38(6)), organisations are obliged to ensure that there is no conflict of interest between those activities and the formal duties prescribed under the Regulation. Most senior positions within an organisation are likely to conflict with the DPO’s duties (e.g. chief executive, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR or head of IT).
The DPO cannot be dismissed or penalised for performing their tasks, and organisations must ensure that the DPO reports directly to “the highest management level” in the organisation.
The task of the DPO to monitor the organisation's compliance with the GDPR does not make the DPO individually liable for non-compliance by the organisation. The WP29 states that organisations are free to ignore the advice of DPOs as they remain responsible for compliance, but when doing so must document in writing the reasons for not following the advice.
Fines for non-compliance
Failure to comply with the DPO requirements set out in the GDPR may result in administrative fines of up to €10 million or up to 2% of global annual turnover – whichever is greater.
The DPO may be employed (internal DPO) or act under a service contract (external DPO). In both cases, a DPO must be given the necessary resources to fulfil the relevant job functions.
Organisations should assess whether they are obliged to appoint a DPO under the Regulation, and consider the requirements that DPOs act independently and without conflict when performing their DPO tasks.
The GDPR allows organisations to choose whether to appoint an internal or external DPO. Whatever the decision, IT Governance can help your organisation fulfil the DPO role.
Certified GDPR training
Our ISO 17024-certificated GDPR Foundation and Practitioner training courses offer a structured learning path to equip data protection and information security professionals, as well as individuals who lack data protection expertise and experience, with the specialist knowledge and skills needed to deliver GDPR compliance and fulfil the DPO role.
Learn more about the GDPR training options >>
Outsourcing the DPO role
The GDPR allows organisations to outsource the DPO role to an external provider. With a shortage of individuals trained to handle DPO responsibilities, outsourcing these tasks and duties can help your organisation address the compliance demands of the GDPR while staying focused on your core business activities.
Learn more about the DPO as a service >>
Speak to a GDPR expert
Please contact our expert team, who will be able to give advice and guidance about the compliance options.