What is a data protection officer?
DPOs are independent data protection experts who are responsible for monitoring an organisation’s compliance, informing it of, and advising on its data protection obligations, and acting as a contact point for data subjects and the relevant supervisory authority.
The EU's GDPR (General Data Protection Regulation) has increased the demand for DPOs, but not every organisation is required to appoint one under the Regulation.
Organisations must assess whether they need to appoint one and, if so, who they should give that responsibility to. There are some legal requirements that must be met, such as avoiding conflicts of interest, which can prove challenging.
Data protection courses and DPO support services
We have a selection of products and services that can support your organisation’s GDPR compliance, whether it is an outsourced solution, complementary support or certified training.
Our certified GDPR training courses offer a structured learning path that equips data protection and information security professionals, as well as individuals who lack data protection expertise and experience, with the specialist knowledge and skills needed to deliver GDPR compliance.
Our EU GDPR Learning Path now includes certificated entry-level DPO training courses, preparing attendees to fulfil the DPO role.
The DPO’s role and responsibilities
Articles 37–39 of the GDPR set out its DPO-related requirements: when a DPO must be appointed (Article 37), the nature of their position in the organisation (Article 38) and the tasks they must carry out (Article 39).
Infringements of these articles leave organisations open to the GDPR’s lower level of administrative fines: up to the greater of 2% of their annual global turnover or €10 million, so it’s obviously important to meet the DPO obligations correctly and in full.
The DPO's tasks
The GDPR is explicit about the tasks that DPOs are required to perform.
They include the following:
- Inform and advise the organisation and its employees of their data protection obligations under the GDPR.
- Monitor the organisation’s compliance with the GDPR, other data protection legislation and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits.
- Advise on the necessity of data protection impact assessments (DPIAs), the manner of their implementation and outcomes.
- Serve as the contact point to the data protection authorities for all data protection issues, including data breach reporting.
- Serve as the contact point for individuals (data subjects) on privacy matters, including subject access requests.
Appointing a Data Protection Officer
When do I need to appoint a DPO?
The appointment of a DPO under the GDPR is only mandatory in three situations:
- When your organisation is a public authority or body;
- If your core activities require regular and systematic monitoring of data subjects on a large scale; or
- If your core activities involve large scale processing of special categories of personal data and data relating to criminal convictions.
There is also scope with the Regulation for each EU member state to specify other circumstances in which a DPO needs to be appointed. Data protection laws in Germany, for example, require every organisation with ten or more employees that permanently process personal data to appoint a DPO.
The newly published Irish Data Protection Act 2018 allows the Minister for Justice and Equality in Ireland, in consultation with the Irish Data Protection Commission, to extend the categories of controllers and processors that are required to designate a DPO.
Even where the GDPR does not specifically require the appointment of a DPO, it is highly encouraged by the European Data Protection Board (EDPB) as a matter of good practice and to demonstrate compliance.
It is important to note that an organisation that appoints a DPO voluntarily must still comply with the full range of DPO requirements in the GDPR.
Do I have to appoint a DPO internally?
The GDPR allows organisations to choose whether to appoint an internal or external DPO. The DPO may be a permanent member of staff (internal) or acting under a service contract (external).
Either way, a DPO must be given the necessary resources to be able to fulfil their tasks. Similarly, you need to consider the level of support your DPO may need to adequately carry out their duties.
With a shortage of individuals trained to handle the specific DPO responsibilities, outsourcing these tasks and duties can help your organisation address the compliance demands of the GDPR while staying focused on core business activities.
Whatever the decision, IT Governance can help your organisation fulfil the DPO role with outsourced solutions, training for internal development and support services.
Learn more about DPO as a service
Key considerations for the DPO role
What are the legal requirements for the DPO role?
The GDPR requires that the DPO operates independently and without instruction from their employer over the way they carry out their DPO tasks. This includes instructions on what result should be achieved, how to investigate a complaint or whether to consult the Data Protection Commission. Organisations also cannot tell their DPO how to interpret data protection law.
Although the GDPR allows DPOs to “fulfil other tasks and duties”, organisations are obliged to ensure that these do not result in a “conflict of interest” with the DPO duties. Most senior positions within an organisation are likely to cause a conflict (e.g. CEO, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR and head of IT).
The GDPR does not specify the precise credentials a DPO is expected to have. However, in its published guidelines, the WP29 (now reffered to as the EDPB) defines certain minimum requirements regarding the DPO’s expertise and skills:
nderstanding how to build, implement and manage data protection programmes is essential. The more complex or high-risk the data processing activities are, the greater the expertise the DPO will need.
DPOs do not have to be lawyers, but they must have expertise in national and European data protection law, including an in-depth knowledge of the GDPR. DPOs must also have a reasonable understanding of the organisation’s technical and organisational structure and be familiar with information technologies and data security.
In the case of a public authority or body, the DPO should have a sound knowledge of its administrative rules and procedures.