GDPR The Basic Facts — Data Protection Officers
This e-book is derived from a full GDPR course I created that has had over 11,000 student enrolments. I thought it would be useful to provide a version on Medium. Data protection law can be complex and an e-book cannot be sure to cover your organisation’s circumstances, so be sure to seek professional advice if you have any doubts when processing personal data.
In this chapter I cover the role of Data Protection Officers.
The Data Protection Officer (or DPO) is an individual who works for an organisation and has a formal role to promote and advise the organisation on data protection compliance issues. Their role is to advise the organisation, check on compliance and be the public face of data privacy to the public and the regulator.
Organisations who process personal data generally have an obligation to have a Data Protection Officer if they routinely process personal data. This ensures that data subjects and the regulators always have a responsible point of contact for data protection matters.
Appointing a Data Protection Officer is not mandatory as the regulation is open to to interpretation around the thresholds that require an appointment. It is important to note that it is not the size of an organisation that drives the requirement. Instead, each organisation should take a risk-based decision erring on the side of ensuring that someone in the organisation has responsibility for data protection where personal data is handled. Processing large volumes of personal data, especially special categories of data, or systematic monitoring of data subjects are areas where a DPO appointment is mandatory, but the regulation doesn’t specify any thresholds for these terms, so the risk-based approach remains an organisation’s best barometer for when to make an appointment.
There are some exceptions where an organisation may be exempt, but the guidance is that, unless it is obvious that a DPO is not required then organisations should appoint an officer.
The DPO in the organisation
The Data Protection Officer should be an independent voice, reporting into senior level (or as the regulation puts it to the “highest management level”) so that their independence is protected. The role should not conflict with any other responsibilities held by the individual.
As an advisory role, the DPO is not responsible for compliance, this responsibility rests with the organisation. If the organisation refuses to follow the advice of the DPO then these decisions should be documented.
The DPO doesn’t have to have any specific qualifications but must have the appropriate expertise to interpret data protection law. They must also know enough about the organisation to be able to carry out their duties effectively and must have enough knowledge of how data protection systems should operate. The more complex the organisation is, the more likely it is that the DPO should have a higher level of expertise.
The DPO does not have to be a full-time role, but should have time to perform their role properly. The DPO should be given the necessary resources to allow them to do their job, for example, if the volume of work merits it, additional supporting staff may be necessary to help the DPO carry out their duties.
Organisations can share Data Protection Officers with other businesses and can even outsource the role to an external provider if required.
The role of the DPO
The Data Protection Officer should act as an advisor, informing employees and management of their data protection obligations. They should advise whether privacy impact assessments are needed and should help with privacy by design decisions.
As well as advising, they should monitor the organisation’s compliance with the organisation’s policies, processes and operational procedures to ensure that they adhere to the GDPR and protect the rights of data subjects. The Data Protection Officer should also monitor the training and awareness of staff to help ensure that organisations follow their processes effectively.
The Data Protection Officer acts as the designated contact point for anyone needing to contact the organisation for data protection matters. This can be for EU member state regulators, such as the ICO, should they have concerns about the way in which personal data is being processed and for individuals who need to contact an organisation in relation to their personal data. If anyone contacts an organisation seeking to exercise their rights under the GDPR then the DPO with generally be the point of contact.
If you enjoy reading stories like this and want to support me as a writer, consider signing up to become a Medium member. It’s $5 a month, giving you unlimited access to stories of Medium. If you sign up using my link, I’ll earn a small commission.
Here are the links to the rest of the book.