The Data Protection Officer (DPO) in the General Data Protection Regulation?

DPOs are responsible for overseeing data protection strategy and implementation to ensure organizational compliance with GDPR requirements.

Why does one need to appoint a DPO?

GDPR requires the mandatory appointment of a DPO for any organization that processes or stores large amounts of personal data, whether for employees, individuals outside the organization, or both.

DPO responsibilities and requirements

When the GDPR becomes effective on May 25, 2018, the DPO becomes a mandatory role under Article 37 for all companies that collect or process EU citizens’ personal data. DPOs are responsible for educating the organization and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and the Commissioner for Data Protection that oversee activities related to data (the Supervisory Authority (SA)).

As stated in GDPR Article 39, the DPO’s responsibilities include, but are not limited to:

  • Educating the company and employees on important compliance requirements
  • Training staff involved in data processing
  • Conducting audits to ensure compliance and address potential issues proactively
  • Serving as the point of contact between the company and Commissioner for Data Protection
  • Monitoring performance and providing advice on the impact of data protection efforts
  • Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request
  • Interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information

Qualifications for DPOs

GDPR does not include a specific list of DPO credentials, but Article 37 does require a data protection officer to have “expert knowledge of data protection law and practices.” The Regulation also specifies the DPO’s expertise should align with the organization’s data processing operations and the level of data protection required for the personal data processed by data controllers and data processors.

DPOs may be a staff member or an external contractor and related organizations may utilize the same individual to oversee data protection collectively, as long as it’s possible for all data protection activities to be managed by the same individual and the DPO is easily accessible by anyone from any of the related organizations whenever needed. It is required that the DPO’s details are published publicly and provided to all regulatory oversight agencies.

The way forward

Companies that handle EU citizen’s data are subjected to GDPR even if they are not located in the EU. Companies and organizations need to have their DPOs in place before the Regulation goes into effect, so it’s important to begin recruiting and hiring DPOs sooner rather than later in order to secure the most qualified professionals for the role, as they’re sure to be in high demand as the deadline is about to happen.

To employ the right DPO, one needs to ensure that such individual has expertise in data protection law and practices and has a good understanding of your IT infrastructure, technology, and technical and organizational structure. As mentioned earlier, a Company may designate an existing employee or may hire an external DPO. Companies and organizations should look for candidates that can manage data protection and compliance internally while reporting non-compliance to the Commissioner for Data Protection. Ideally, a DPO should have excellent management and communication skills and the ability to interface easily with internal staff at all levels of the organization as well as any outside authorities.

Dr Adrian Ioannou
Director
High Q Consulting Ltd
adrian.ioannou@gmail.com
+357 99551555