Is the Data Protection Officer your organisation’s missing piece of the puzzle?

Since May 2018, data protection has become even more strict. The GDPR (General Data Protection Regulation) is now mandatory for everyone who processes personal data. Many companies had to familiarise themselves with the 7 data protection principles and quickly adapt. The rules, however, can be hard to understand and harder to implement, which is why many companies have decided to employ a data protection officer (DPO). Hopefully, this article will help you understand a DPO’s role, when you should have one, and what benefits they could provide for your organisation. .

What is a Data Protection Officer?

The DPO (Data Protection Officer) is someone within the company that ensures the lawful processing of data. Whenever a company collects and processes personal data, it is their and their employees’ responsibility to handle it lawfully. It affects everyone from business partners to customers and employees who should be assured that their data is protected. The DPO is involved whenever an issue arises related to processing personal data and to warrant that the organisation is acting within its rights. They are responsible for, among other things, creating relevant data handling protocols, instructing employees on data regulations and monitoring GDPR compliance.

When should you have a DPO?

Regardless of your company’s size or industry, it handles personal data in one way or another. It is therefore obligated to have someone monitor GDPR compliance. However, there are three instances where having a DPO becomes mandatory.

  1. Public authority – Personal data is handled by a public body or authority
  2. Large-scale and regular monitoring – Processing personal data is a core activity and done on a regular basis
  3. Large-scale special data categories – Processing specific ‘special’ category data, meaning sensitive data, as a core activity and on a large scale

Sometimes, an organisation might not fall under any of these three categories but could still benefit from having a DPO. I will explain later how they can assist with GDPR compliance. Many expanding companies seek out a DPO to help with the increasing amounts of personal data.

However, having a DPO may not be suitable for everyone. If you work in a small company, it can be a lot easier and cost-efficient to share the responsibility of GDPR compliance amongst multiple people. Or perhaps your organisation only handles minimal amounts of data that are easy to lawfully process. It is also possible that you have already developed a functional and efficient system that is in no need of restructuring. It all depends on your company’s context.

What does a DPO do?

The DPO’s purpose is to ensure the company’s compliance with the EU regulations, which are enforced by the national data protection authority of your country. Infringing upon the GDPR could have grave consequences since organisations can be fined €20 million or 4% of their global revenue. Due to the confidential nature of their work, the DPO usually reports directly to the highest level of management without any interference from the organisation.

More precisely, the DPO deals with:

  1. Answering questions and handling concerns regarding the GDPR
  2. Informing the organisation and their employees about their GDPR obligations
  3. Monitoring GDPR compliance through training staff and conducting audits
  4. Making data protection impact assessments
  5. Cooperating and communicating with the DPA

What qualifications does a DPO need?

Finding a qualified candidate is the essential first step. Although the GDPR does not list specific requirements, they suggest that the DPO’s level of expertise should match the data operations’ complexity. Here are some suggestions for what you could look for in a candidate:

  • Relevant experience working with EU and global privacy laws (including drafting of privacy policies, technology provisions, and working on compliance)
  • Having worked with IT programming or infrastructure (including certification in information security standards)
  • Significant experience in carrying out audits of information systems, certification audits, and risk assessments
  • Demonstrating the ability to coordinate with multiple parties and supervisors while working on multiple projects
  • Communication skills to address audiences from various departments with differing levels of knowledge (including the board of directors, data subjects, managers, IT staff and lawyers)
  • The ability to gain required knowledge in dynamic environments
  • Experience in legal as well as technical training and in raising awareness
  • Experience in successfully dealing with different business cultures and industries

Searching for a new employee to fill the position can be challenging. Unfortunately, the demand for skilled DPOs is very high which means that hiring one can be timely and challenging.

However, a good place to start looking is your own IT or legal department, as they already understand how and what kind of data is processed. Since GDPR compliance is a very dynamic field, you must remain knowledgeable on the required level of protection and recent developments. If necessary, that employee should receive any necessary GDPR training or certifications.

How can a DPO benefit you?

Here is a short list of the ways a DPO can benefit you and your organisation:

  1. The DPO guides you through the complex GDPR regulations and ensures lawful data handling
  2. They increase overall compliance by instructing board members, managers, and employees on how to handle personal data
  3. In case of a security breach, the DPO will render necessary protocols on how to respond internally and publicly, since you must report it to authorities within 72 hours.
  4. They can advise you when distributing technical resources to strengthen cyber security which includes data protectio

There is so much more you can do!

As you can see, a DPO can simplify the daily operations within your organisation. They alleviate a lot of the pressure that comes with the lawful processing of personal data. The DPO takes on many responsibilities, can meet company set development goals and in the end, protect you from large fines and data breaches.

But having a DPO is not the end-all-be-all solution when it comes to data handling and may not always be a suitable solution. Like in many other areas of cyber security, every member of your organisation plays a crucial role in protecting and processing personal data. Therefore, every employee can benefit from awareness training. They should learn about what personal data is, what the 7 data protection principles are, how to handle personal data and much more. Therefore, increasing their awareness will help make your organisation more secure.

Subscribe to our newsletter

Receive updates containing free templates, tools, and news from CyberPilot.

Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.


Contact us

You are always welcome to contact us
for an initial and informal chat about your cyber security challenges.