The DPO (data protection officer) role under the GDPR
What is a data protection officer?
Data protection officers (DPOs) are independent data protection experts who are responsible for monitoring an organization’s compliance, informing it of and advising on its data protection obligations, and acting as a contact point for data subjects and the relevant supervisory authority.
Under the GDPR (General Data Protection Regulation), many organizations are required to appoint a DPO.
What does a DPO do?
The EU's GDPR (General Data Protection Regulation) has increased the demand for DPOs, but not every organization is required to appoint one under the Regulation.
Organizations must assess whether they need to appoint one and, if so, who they should give that responsibility to. There are some legal requirements that must be met, such as avoiding conflicts of interest, which can prove challenging.
The DPO’s role and responsibilities
Articles 37–39 of the GDPR set out its DPO-related requirements: when one must be appointed (Article 37), the nature of their position in the organization (Article 38) and the tasks they must carry out (Article 39).
Infringements of these articles leave organisations open to the GDPR’s lower level of administrative fines: up to the greater of 2% of their annual global turnover or €10 million (about $11 million), so it’s obviously important to meet the DPO obligations correctly and in full.
The DPO's tasks
The DPO reports directly to “the highest management level” in the organization, and has the following tasks under the GDPR:
- Informing and advising the organization and its employees of their data protection obligations
- Monitoring the organization’s compliance with the GDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits
- Advising on whether a DPIA (data protection impact assessment) is necessary, how to conduct one and expected outcomes
- Serving as the contact point for the relevant supervisory authority on all data protection issues, including data breach reporting
- Serving as the contact point for data subjects on privacy matters, including DSARs (data subject access requests)
When do I need to appoint a DPO?
Under the GDPR, appointing a DPO is mandatory under three circumstances:
- The organization is a public authority or body
- The organization's core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale
- The organization's core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offences
SMEs (small and medium-sized enterprises) are not exempt from the DPO requirement, should any or all of the above apply to them.
The GDPR permits member states to specify other circumstances in which a DPO must be appointed. German data protection law, for example, requires every organization with ten or more employees that permanently processes personal data to appoint a DPO.
Even where the GDPR does not specifically require a DPO to be appointed, it is highly encouraged by the EDPB (European Data Protection Board) as a matter of good practice.
However, a DPO has the same legal status whether the appointment is voluntary or mandatory, and organizations will be liable for the same penalties if the DPO role is not fulfilled correctly. They might therefore find it sensible to employ someone in a comparable role to oversee data protection but with the freedom to be more involved in the practicalities.
Do I have to appoint a DPO internally?
The GDPR allows organizations to choose whether to appoint an internal or external DPO. The DPO may be a permanent member of staff (internal) or acting under a service contract (external). Either way, a DPO must be given the necessary resources to be able to fulfil their tasks. Similarly, you need to consider the level of support your DPO may need to adequately carry out their duties.
With a shortage of individuals trained to handle the specific DPO responsibilities, outsourcing these tasks and duties can help your organisation address the compliance demands of the GDPR while staying focused on core business activities.
Whatever the decision, IT Governance can help your organisation fulfil the DPO role with our practical and cost-effective solution - DPO as a Service.
What are the legal requirements for the DPO role?
The GDPR requires that the DPO operates independently and without instruction from their employer over the way they carry out their DPO tasks. This includes instructions on what result should be achieved, how to investigate a complaint or whether to consult the relevant supervisory authority. Organizations also cannot tell their DPO how to interpret data protection law.
No conflicts of interest
Although the GDPR allows DPOs to “fulfil other tasks and duties”, organizations are obliged to ensure that these do not result in a “conflict of interests” with the DPO duties. Most senior positions within an organization are likely to cause a conflict (e.g. CEO, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR and head of IT).
What qualifications does a DPO need?
The GDPR does not specify the credentials a DPO must have. However, the WP29 (Article 29 Working Party) published guidelines, which have been adopted by its successor, the EDPB, defining minimum requirements regarding the DPO’s expertise and skills:
- Level of expertise – an understanding of how to build, implement and manage data protection programmes is essential. The more complex or high-risk the data processing activities are, the greater the expertise the DPO will need
- Professional qualities – DPOs do not need to be qualified lawyers, but they must have expertise in national and European data protection law, including an in-depth knowledge of the GDPR. DPOs must also have a reasonable understanding of what technical and organizational measures the organization has in place, and be familiar with information technologies and data security
In the case of a public authority or body, the DPO should have sound knowledge of its administrative rules and procedures.
Speak to an expert
If you'd like to know more about the DPO role, or are unsure whether your organization needs to appoint a DPO internally, or externally, speak to one of our experts today.