The appointment of a data protection officer (DPO) is an essential part of complying with the EU’s General Data Protection Regulations. However, what exactly is the role of a DPO? Moreover, who needs to hire one? In this article, we explore the role of a DPO in helping an organisation achieve their compliance goals.
DPO: An introduction
GDPR requires data controllers and processors who run processing operations which require regular and systematic monitoring of data subjects (members of the public) on a large scale or of special categories of data relating to criminal convictions and offences must hire a DPO.
Article 38 of GDPR addresses the relationship between controllers and processes and DPOs; “the controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data”.
According to GDPR, a DPO:
- Can be an existing member of staff at the organisation or an external service provider
- Must be provided with the resources required to perform their role and to maintain a good performance
- Must report directly to the highest level of management in the organisation
- Must not be required to perform other tasks that could create a conflict of interest
- Must be hired as the DPO based on their professional record and knowledge on data protection laws and practices
Who Needs to Hire a DPO?
While GDPR is an EU law, any organisation that collects data within the EU are covered by the regulations, regardless of the physical location of its headquarters. Therefore, it is not only organisations based in the EU that must concern themselves with hiring a DPO.
In general, large organisations (defined as having more than 250 employees) process large quantities of data, so are expected to hire a DPO. Similarly, all public authorities should hire a DPO.
While small businesses are not required by GDPR to hire a DPO, there are some notable exceptions. If small businesses process large amounts of personal data, participate in large scale systematic monitoring of people, or if they process information that may fall into a “special class” of personal data, a DPO should be appointed. The special classes of personal data include:
- the racial or ethnic origin of a subject
- the political opinions or the religious or philosophical beliefs of the data subject
- trade-union membership of the data subject
- the physical or mental health condition or sexual life of the data subject
- biometric data
- genetic information
Small businesses may find it useful to hire a DPO even if GDPR does not require them to do so, financial circumstances permitting. Although appointing a DPO may be costly initially, the expertise they provide in ensuring that the organisation remains fully GDPR-compliant is worthwhile considering the penalties levied against those found to violate the regulations.
Responsibilities of a DPO
The primary responsibility of a DPO is to ensure that the organisation protects the personal data of data subjects to the standards outlined in GDPR. A thorough understanding of privacy laws is fundamental to achieving full compliance with GDPR.
The other responsibilities of a DPO include:
- Educating staff on subject data rights and their responsibilities under GDPR
- Advising to senior management regarding GDPR compliant business practices
- Monitoring activities across the organisation to ensure they are GDPR compliant
- Cooperation with the Lead Supervisory Authority
- Assessing IT systems, computer networks and data protection safeguards to ensure they are of the required standard
- Notifying data subjects in the event of a data breach
Aside from being a legal requirement for many organisations, the appointment of a DPO is essential for navigating the complexities of GDPR. DPOs are an integral part of implementing organisation-wide GDPR-compliance, ensuring that every aspect of organisational operations maintains personal data privacy.