The DPO (data protection officer) role under the GDPR
What is a data protection officer?
Data protection officers (DPOs) are independent data protection experts who are responsible for monitoring an organisation’s compliance, informing it of and advising on its data protection obligations, and acting as a contact point for data subjects and the relevant supervisory authority – the Dutch Data Protection Authority in The Netherlands.
Under the EU GDPR (General Data Protection Regulation), many organisations are required to appoint a DPO.
The DPO’s role and responsibilities
Articles 37–39 of the GDPR set out its DPO-related requirements: when one must be appointed (Article 37), the nature of their position in the organisation (Article 38) and the tasks they must carry out (Article 39).
Infringements of these articles leave organisations open to the GDPR’s lower level of administrative fines: up to the greater of 2% of their annual global turnover or €10 million (about £8.5 million), so it’s obviously important to meet the DPO obligations correctly and in full.
The DPO's tasks
The DPO reports directly to “the highest management level” in the organisation, and has the following tasks under the GDPR:
- Informing and advising the organisation and its employees of their data protection obligations.
- Monitoring the organisation’s compliance with the GDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits.
- Advising on whether a DPIA (data protection impact assessment) is necessary, how to conduct one and expected outcomes.
- Serving as the contact point for the ICO (or other relevant supervisory authority) on all data protection issues, including data breach reporting.
- Serving as the contact point for data subjects on privacy matters, including DSARs (data subject access requests).
Appointing a Data Protection Officer
When do I need to appoint a DPO?
The appointment of a DPO under the EU GDPR (General Data Protection Regulation) is only mandatory in three situations:
- When the organisation is a public authority or body;
- If your core activities require regular and systematic monitoring of data subjects on a large scale; or
- If your core activities involve large scale processing of special categories of personal data and data relating to criminal convictions.
There is also scope with the Regulation for each EU member state to specify other circumstances in which a DPO needs to be appointed. Data protection laws in Germany, for example, require every organisation with ten or more employees that permanently processes personal data to appoint a DPO.
Even where the GDPR does not specifically require the appointment of a DPO, it is highly encouraged by the European Article 29 Working Party (WP29) as a matter of good practice and to demonstrate compliance. It is important to note that an organisation that appoints a DPO voluntarily must still comply with the full range of DPO requirements in the GDPR.
Do I have to appoint a DPO internally?
The GDPR allows organisations to choose whether to appoint an internal or external DPO. The DPO may be a permanent member of staff (internal) or acting under a service contract (external). Either way, a DPO must be given the necessary resources to be able to fulfil their tasks. Similarly, you need to consider the level of support your DPO may need to adequately carry out their duties.
With a shortage of individuals trained to handle the specific DPO responsibilities, outsourcing these tasks and duties can help your organisation address the compliance demands of the GDPR while staying focused on core business activities.
Whatever the decision, IT Governance can help your organisation fulfil the DPO role with outsourced solutions, training for internal development and support services.
Learn more about DPO as a service>>
Key considerations for the DPO role
What are the legal requirements for the DPO role?
The GDPR requires that the DPO operates independently and without instruction from their employer over the way they carry out their DPO tasks. This includes instructions on what result should be achieved, how to investigate a complaint or whether to consult the ICO. Organisations also cannot tell their DPO how to interpret data protection law.
Although the GDPR allows DPOs to “fulfil other tasks and duties”, organisations are obliged to ensure that these do not result in a “conflict of interests” with the DPO duties. Most senior positions within an organisation are likely to cause a conflict (e.g. CEO, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR and head of IT).
The GDPR does not specify the precise credentials a DPO is expected to have. However, in its recent published guidelines the WP29 defines certain minimum requirements regarding the DPO’s expertise and skills:
- Level of expertise – understanding how to build, implement and manage data protection programmes is essential. The more complex or high-risk the data processing activities are, the greater the expertise the DPO will need.
- Professional qualities – DPOs do not have to be lawyers, but they must have expertise in national and European data protection law, including an in-depth knowledge of the GDPR. DPOs must also have a reasonable understanding of the organisation’s technical and organisational structure and be familiar with information technologies and data security.
In the case of a public authority or body, the DPO should have a sound knowledge of its administrative rules and procedures.
How IT Governance can help you
We have a selection of DPO services that can support your organisations GDPR compliance, no matter how far along you are in your project . Browse our range of GDPR products and services below to find out more, or get in touch with our GDPR team for advice and guidance about the support options.
Shop our DPO products and services
Speak to a GDPR expert
Please contact our expert team, who will be able to give advice and guidance about the compliance options.