The Data Protection Officer

Do you need a DPO? Think carefully, once you appointed a DPO, you cannot then decide that you don’t.

If you do need a DPO, where are they going to come from? Do you have someone in-house who has the skills; do they need support in-order to carry out their responsibilities? Or perhaps you are going to outsource the post of the DPO?

Who needs a DPO?

  • Public authorities
  • Organisations whose core activities involve the systemic and regular monitoring of individuals on a large scale
  • Organisation who process sensitive personal data (medical, financial, criminal) on a large scale.

The DPO is the person who takes responsibility for your data protection compliance and the knowledge and the support of the board.

You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size.

Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO or not, but whatever route you take you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.

It is also worth noting that it is not the size of the company that dictates the need for a DPO but instead the amount of data that they are processing.

What are the tasks of the DPO?

  • The DPO’s minimum tasks are defined in Article 39:
  • To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

Can the DPO be an existing employee?

  • Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.

Does the data protection officer need specific qualifications?

  • The GDPR does not specify the precise credentials a data protection officer is expected to have.
  • It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.