The GDPR requires organisations to appoint or designate a data protection officer with responsibilities to inform and advise the organisation about compliance with GDPR obligations and other data protection laws. The DPO requirement applies to both data controllers and data processors.
The DPO will also be responsible for monitoring the organisation’s compliance with the GDPR, managing internal data protection activities and carrying out data protection impact assessments ensuring that the organisation has access to effective advice on data protection risks and issues.
The DPO must be the organisation’s main contact for the supervisory authorities and for individuals whose data is processed and also has responsibilities for staff data protection training, staff advice and carrying out internal audits.
DPOs are expected to have expert knowledge of data protection law and practices and the level of knowledge should be determined by the type or level and volume of the organisation’s personal data processing and protection required for the personal data being processed.
The GDPR does not specify the qualifications a data protection officer should have; however, the GDPR requires that the DPO have professional experience and knowledge of data protection law and should be proportionate to the type of processing the organisation carries out.
The GDPR does not put a limit on the size of companies that should appoint DPOs. It states that DPOs must be appointed for all public authorities and by organisations whose core activities involves “regular and systematic monitoring of data subjects on a large scale” or where high volume processing of special categories of personal data as defined in the GDPR e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, etc. takes place.
Reporting Arrangements and Seniority of DPOs
The GDPR defines the minimum tasks of the DPO in Article 39. It states that the DPO must be responsible for reporting to the highest management level of the organisation which basically means they must be a board level member of the organisation or equivalent.
One of the fundamental aspects of the role of the DPO in the organisation is that they must be allowed to operate independently and cannot be dismissed or penalised for performing their task. This removes the element of bias in the DPOs role as an advisor to the organisation and ensures that they operate without any conflict of interests and can be able to challenge decisions that are not compatible with the GDPR and other data protection legislation at a very senior level in the organisation.
The GDPR also requires that adequate resources are provided to enable DPOs to meet their GDPR obligations and the DPO role can also be allocated to existing members of staff in an organisation as long as their professional duties are compatible with duties of the DPO as specified in the GDPR i.e. the DPO must be allowed to work independently and should not have any conflict of interests.
Organisation that do not wish to employ a full time DPO may externally contract out the DPO role as long as the governance arrangements enable staff to have the DPO readily available for advice to staff and senior management. The DPO requirements set out in the GDPR must fully be complied with and the appointment of the DPO must not be seen as tick-box exercise or a superficial way of complying with the regulations. Operational effectiveness and understanding of data protection legal requirements is what the organisation should be getting from the DPO.
Organisations may also want to consider appointing a DPO with good understanding of information risk management which is essential in the ever changing cyber security environment. DPO should be able to identify and anticipate threats to personal data and be able to review and assess the vulnerabilities of the organisation’s systems and other information assets.