Defining a Data Protection Officer (DPO)
When the General Data Protection Regulation, or GDPR, was released, it led to the creation of a new role called the Data Protection Officer, or DPO. This role is mainly responsible for the data protection strategy and implementation of a company to ensure that they are in compliance with the regulations set forth by the GDPR.
Who Needs DPO?
The European Parliament, along with the European Council and the European Commission, created the GDPR to streamline and bolster protection of sensitive data from the European Union’s citizens. One of its requirements is the appointment of a DPO within every organization that processes and stores sensitive, personal information of their citizens. This includes data on race, religion, and ethnicity.
Based on the language of the GDPR, it is not the size of the organization that dictates the need for a DPO, but rather the amount and type of data they process. The problem is that the regulation does not define what is to be considered as “large-scale” data management. There are, however, four points used by governing bodies to identify if a DPO is needed by a company:
- Data items.
- Data subjects.
- Geographic range of data processing.
- Length of time for data retention.
Even if there is no direct definition or guideline about the amount of data handling, most small businesses and organizations do not need a DPO unless the core of what they do is to collect and process personal information from EU citizens.
Responsibilities of a DPO
Under Article 37 of the GDPR, the DPO is a mandatory role required for any organizations that collect, process, and store data from EU citizens. The role is responsible for educating the organization’s people regarding compliance with GDPR, conducting trainings for staff involved in data processing, and auditing security on a regular basis. They are also the main point of contact for a company and Supervisory Authorities, who check and oversee all activities related to data.
Article 30 of the GDPR outlines the responsibilities of a DPO, which include the following:
- Train any and all staff who are involved in processing data.
- Educate the company and its people on the importance of compliance with GDPR.
- Conduct security audits and act on any issues uncovered by this.
- Serve as the main contact person for the company and the Supervisory Authorities of GDPR.
- Monitor the performance of the organization’s data protection efforts.
- Interact with data subjects to inform them about how their data is being used and processed by the organization, along with their rights to have their data removed from the list and what security measures are in place to protect their data.
The DPO is also in charge of keeping records on all data collecting and processing activities of the company.
Data Protection Officer Qualifications
The regulations of the GDPR does not include specific credentials for a DPO, but it does state in Article 37 that the Data Protection Officer should have an expert knowledge when it comes to data protection, laws governing data protection, and best practices. Their expertise in this field should also align with how the company processes data.
The DPO of a company can be a staff member of the processor, and related organizations can even use the same person as their DPO for as long as they are easily accessible to anyone within these related organizations. It is also required by the GDPR that the Data Protection Officer’s contact information should be published publicly and sent to all relevant oversight agencies.
It is also required by the GDPR that Data Protection Officers should not have any conflict of interest. This means that the DPO shouldn’t have responsibilities or duties that would conflict with the role of monitoring. An example of this is that a legal counsel representing the company can have a conflict of interest, which means that the person should not be their DPO. Any company found to violate this provision can face fines of up to 10 million Euros, or 2% of the company’s global turnover, whichever is greater.
DPO Best Practices
Since the GDPR guideline covers protection of their citizens’ data regardless if the organization is within the EU or not, it is predicted that tens of thousands of Data Protection Officers are needed all over the world in order to achieve proper GDPR compliance.
The best asset of a DPO is knowledge about data protection laws, along with a thorough understanding of the organization’s IT infrastructure and processes. Either an existing employee could be placed into this position or they can hire someone new to fill it. In any case, companies should look for candidates who have the ability to manage data protection internally and can report non-compliance to Supervisory Authorities. The best DPO for your organization is one who is reliable and independent, while having no other commitments that can interfere with the role.
It is also ideal that the DPO have great management skills and the ability to interact with both staff and outside authorities. They can then ensure the internal compliance of the company.