Improve Your Understanding of the Data Protection Officer
The EU General Data Protection Regulation (GDPR) made the role of the Data Protection Officer (DPO) ubiquitous among organizations across the world. According to the IAPP-EY Annual Privacy Governance Report 2021, nearly 75% of all organizations now have a DPO, and while the role did exist prior to the GDPR, there were only a few laws that required organizations to appoint one.
Read the blog: The Ultimate Guide to the GDPR
The GDPR set a defined threshold for the mandatory appointment of a DPO which included public authorities and organizations that either systematically monitors individuals on a large scale or who process sensitive data on a large scale. On April 5, 2017, the Article 29 Working Party (WP29) adopted its revised guidelines on DPOs that suggested that some organizations might appoint a DPO as a best practice rather than as a requirement. While DPOs are not directly responsible for compliance with the GDPR, Article 39 of the GDPR outlines the core responsibilities of the DPO that must be fulfilled to help facilitate data protection compliance.
What is a Data Protection Officer Under the GDPR?
A DPO is a role that supports the organization with all issues that relate to the protection of personal data and should help it demonstrate compliance and promote accountability. Data controllers can appoint a DPO from existing internal staff or appoint an external DPO.
Under the GDPR, a DPO should be independent, possess expert knowledge, and must not receive instruction on tasks related to data protection. Data controllers are required to support the DPO by providing the necessary resources for them to carry out their responsibilities and the DPO must report directly to the highest level of management.
What are the responsibilities of a DPO?
The GDPR sets out a range of responsibilities for the DPO to fulfill. These are described in Article 38 and 39 of the GDPR. Article 39 states that the DPO is responsible for informing and advising the data controller of their obligations under the GDPR as well as monitoring the data controller’s compliance with the GDPR. The DPO should also provide advice relating to Data Protection Impact Assessments (DPIAs) under Article 35 and have ‘due regard’ for the risks associated with the data controller’s processing activities.
The DPO is also responsible for the data protection policies of the data controller ensuring they are compatible with the requirements set out in the GDPR. Other responsibilities of the DPO include:
- Assigning responsibility for data protection practices across the organization
- Raising awareness of data protection practices
- Training of staff involved in processing operations
- Audits
Additionally, the DPO acts as the data controller’s point of contact for data subjects and data protection authorities when cooperating with investigations, data breach notification, and Article 36 prior consultation.
When is a Data Protection Officer required?
The GDPR requires data controllers and data processors to designate a DPO in several scenarios which are outlined in Article 37 of the GDPR. Instances where DPO designation is mandatory include:
- Where the processing is carried out by a public authority or body
- Where the core activities of the data controller or data processor include processing operations that require systematically monitoring data subjects on a large scale
- Where the core activities of the data controller or data processor include processing special categories of data or personal data relating to criminal convictions and offences on a large scale
Larger organizations are also permitted to appoint a single DPO to cover mandatory responsibilities across a group of undertakings, providing the DPO is easily accessible by all establishments. The appointment of a single DPO is also available for public authorities, considering the size and structure of the organization.
In their Guidance on a group of undertakings appointing a single DPO, WP29 stated:
“He or she, with the help of a team if necessary, must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This also means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential to ensure that data subjects will be able to contact the DPO.”
To learn more about DPO designation under the GDPR and other key provisions, read The Ultimate Guide to the GDPR or request a free trial and get started with OneTrust DataGuidance’s range of in-depth regulatory research materials.
Follow OneTrust DataGuidance on LinkedIn to keep up to date with upcoming webinars, insights, and more