Data Protection Officer (DPO)
Data Protection Officer Definition
A Data Protection Officer (DPO) is a person who is held accountable for the organization’s GDPR compliance and their overall data security strategy. A DPO acts as the key intermediary between the organization, authorities, and data subjects (people sharing their data with the organization).
Appointing a Data Protection Officer is one of the GDPR requirements, which has taken effect in May 2018.
Data Protection Officer Qualifications
The position of a Data Protection Officer encompasses the following qualifications:
- in-depth knowledge of national, European, and international data protection legislation and practices
- a firm understanding of the GDPR requirements
- familiarity with the internal data processing operations within an organization
- a solid tech and data security background
- specific domain and business expertise
Data Protection Officer Duties
A Data Protection Officer is responsible for:
- GDPR compliance within the organization
- informing and training all involved parties on their data protection obligations
- performing data protection impact assessments
- communication with the supervisory authorities (i.e. the Information Commissioner’s Office) as well as data subjects
- supervising the high-risk activities involved with data processing
- the accountability of the data processing and record keeping
- raising awareness and fostering the data privacy culture within the organization
Does Your Company Need a DPO? When Should You Hire One?
Under GDPR, an organization must appoint a DPO when:
- it is a public authority
- it deals with regular and systematic data monitoring and processing at scale
- it handles special data categories, including sensitive personal data or data on criminal convictions and offenses
In other cases, it is also highly recommended to have a person in place to supervise the data-related processes within the organization.
It is required to hire a DPO before GDPR takes effect in May 2018, so the sooner the better.
Who Can Be Appointed as a DPO?
The possible candidates for the role of a DPO include:
- an in-house Data Protection Officer
- an external Data Protection Officer contractor
- a qualified technology consultancy (“DPO as a service”).
A Data Protection Officer roles and responsibilities can also be divided among several existing employees in-house until you find and hire a dedicated specialist for this position.
What are the Possible Implications for not Appointing a DPO?
Failing to appoint a DPO can be considered a direct violation of the GDPR requirements. In case of non-compliance, the organization will be subject to monetary penalties.