What Is A DPO (Data Protection Officer) And Do You Need One?

Isabella Lüders
By: Isabella Lüders GDPR | 29 November

Since May 2018, data protection has become even more strict. The GDPR (General Data Protection Regulation) is now mandatory for everyone who processes personal data. Many companies had to familiarise themselves with the 7 data protection principles and quickly adapt. The rules, however, can be hard to understand and harder to implement, which is why many companies have decided to employ a data protection officer (DPO). Hopefully, this article will help you understand a DPO’s role, when you should have one, and what benefits they could provide for your organisation.

What is a Data Protection Officer?

The DPO’s (Data Protection Officer) primary responsibility is to ensure their organisation processes all its data in compliance with the applicable data protection rules. Whenever a company collects and processes personal data, it is their and their employees’ responsibility to handle it lawfully. It affects everyone from business partners to customers and employees who should be assured that their data is protected. The DPO is involved whenever an issue arises related to processing personal data and to warrant that the organisation is acting within its rights.

Their sole responsibility, as defined by the GDPR, is to advise and support data processing. In practice, however, a DPO may also aid in creating relevant data handling protocols, instructing employees on data regulations and monitoring GDPR compliance.

When should you have a DPO?

Regardless of your company’s size or industry, it handles personal data in one way or another. It is therefore obligated to have someone monitor GDPR compliance. However, there are three instances where having a DPO becomes mandatory.

  1. Public authority – Personal data is handled by a public body or authority

  2. Large-scale and regular monitoring – Processing personal data is a core activity and done on a regular basis

  3. Large-scale special data categories – Processing specific ‘special’ category data, meaning sensitive data, as a core activity and on a large scale

Sometimes, an organisation might not fall under any of these three categories but could still benefit from having a DPO. I will explain later how they can assist with GDPR compliance. Many expanding companies seek out a DPO to help with the increasing amounts of personal data.

However, having a DPO may not be suitable for everyone. If you work in a small company, it can be a lot easier and cost-efficient to share the responsibility of GDPR compliance amongst multiple people. Or perhaps your organisation only handles minimal amounts of data that are easy to lawfully process. It is also possible that you have already developed a functional and efficient system that is in no need of restructuring. It all depends on your company’s context.

Risk

What does a DPO do?

The DPO’s purpose is to support a company’s compliance efforts with the EU regulations, which are enforced by the national data protection authority of your country. Infringing upon the GDPR could have grave consequences since organisations can be fined €20 million or 4% of their global revenue. Due to the confidential nature of their work, the DPO usually reports directly to the highest level of management without any interference from the organisation.

More precisely, the DPO deals with:

  1. Answering questions and handling concerns regarding the GDPR

  2. Informing the organisation and their employees about their GDPR obligations

  3. Monitoring GDPR compliance through training staff and conducting audits

  4. Making data protection impact assessments

  5. Cooperating and communicating with the DPA

What qualifications does a DPO need?

Finding a qualified candidate is the essential first step. Although the GDPR does not list specific requirements, they suggest that the DPO’s level of expertise should match the data operations’ complexity. Here are some suggestions for what you could look for in a candidate:

  • Relevant experience working with EU and global privacy laws (including drafting of privacy policies, technology provisions, and working on compliance)

  • Having worked with IT programming or infrastructure (including certification in information security standards)

  • Significant experience in carrying out audits of information systems, certification audits, and risk assessments

  • Demonstrating the ability to coordinate with multiple parties and supervisors while working on multiple projects

  • Communication skills to address audiences from various departments with differing levels of knowledge (including the board of directors, data subjects, managers, IT staff and lawyers)

  • The ability to gain required knowledge in dynamic environments

  • Experience in legal as well as technical training and in raising awareness

  • Experience in successfully dealing with different business cultures and industries

Searching for a new employee to fill the position can be challenging. Unfortunately, the demand for skilled DPOs is very high which means that hiring one can be timely and challenging.

However, a good place to start looking is your own IT or legal department, as they already understand how and what kind of data is processed. Since GDPR compliance is a very dynamic field, you must remain knowledgeable on the required level of protection and recent developments. If necessary, that employee should receive any necessary GDPR training or certifications.

How can a DPO benefit you?

Here is a short list of the ways a DPO can benefit you and your organisation:

  1. The DPO guides you through the complex GDPR regulations and assists in lawful data handling

  2. They increase overall compliance by instructing board members, managers, and employees on how to handle personal data

  3. In case of a security breach, the DPO will render necessary protocols on how to respond internally and publicly, since you must report it to authorities within 72 hours.

  4. They can advise you when distributing technical resources to strengthen cyber security which includes data protection

There is so much more you can do!

The DPO’s purpose is to support a company’s compliance efforts with the EU regulations, which are enforced by the national data protection authority of your country. Infringing upon the GDPR could have grave consequences since organisations can be fined €20 million or 4% of their global revenue. Due to the confidential nature of their work, the DPO usually reports directly to the highest level of management without any interference from the organisation.

But having a DPO is not the end-all-be-all solution when it comes to data handling and may not always be a suitable solution. Like in many other areas of cyber security, every member of your organisation plays a crucial role in protecting and processing personal data. Therefore, every employee can benefit from awareness training. They should learn about what personal data is, what the 7 data protection principles are, how to handle personal data and much more. Therefore, increasing their awareness will help make your organisation more secure.

CTA_e-book_blog-desktop