The DPO is a Data Protection Officer and has been spoken about a lot since the announcement of the GDPR. There has been a lot of confusion over what a DPO does and whether organisations are required to have one under the GDPR or just recommended.
What is a DPO?
Whilst the concept of a Data Protection Officer is not a new one, the role has come to the forefront since the announcement of the GDPR. The DPO should be seen as a cornerstone of accountability and appointing a DPO can facilitate compliance and furthermore, become a competitive advantage for businesses. In addition to facilitating compliance through the implementation of accountability tools, DPOs can act as intermediaries between relevant stakeholders.
Is a DPO Mandatory?
Let first look at requirements. A DPO is only mandated under three situations:
- where the processing is carried out by a public authority or body;
- where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences. (Art. 37).
Despite some suggestions that SMEs will be exempt this is not the case if any of the above apply. For all companies, even where not mandated, it is highly recommended to have a DPO as a matter of practice.
What does the DPO do?
There are specific tasks that the DPO must perform for GDPR compliance:
- Inform and advise the organisation and its employees of their data protection obligations under the GDPR.
- Regular and systematic monitoring of the organisation’s compliance with the GDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits.
- Advise on the necessity of data protection impact assessments (DPIAs), the manner of their implementation and outcomes.
- Serve as the contact point to the data protection authorities for all data protection issues, including data breach reporting.
- Serve as the contact point for individuals (data subjects) on privacy matters, including subject access requests.
As an employer what are your duties around the DPO?
You must ensure that:
- The DPO reports to the highest management level of your organisation – ie board level.
- The DPO operates independently and is not dismissed or penalised for performing their task.
- Adequate resources are provided to enable DPOs to meet their GDPR obligations.
Can an existing employee be appointed as DPO?
Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.
The GDPR does not specify the precise credentials a data protection officer is expected to have.It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.
You can also contract out the role of DPO externally, for example, to a company like Qlic.
If you are still unsure about any aspect of GDPR or DPO requirements get in touch with us today or visit https://www.qlicnfp.com/managed-it-services/cyber-security/ to find out more.