• D
  • Data Protection Officer (DPO)

Data Protection Officer Definition

A Data Protection Officer (DPO) is a person who is held accountable for the organization’s GDPR compliance and their overall data security strategy. A DPO acts as the key intermediary between the organization, authorities, and data subjects (people sharing their data with the organization).

Appointing a Data Protection Officer is one of the GDPR requirements, which has taken effect in May 2018.

Data Protection Officer Qualifications

The position of a Data Protection Officer encompasses the following qualifications:

  • in-depth knowledge of national, European, and international data protection legislation and practices
  • a firm understanding of the GDPR requirements
  • familiarity with the internal data processing operations within an organization
  • a solid tech and data security background
  • specific domain and business expertise

Data Protection Officer Duties

A Data Protection Officer is responsible for:

  • GDPR compliance within the organization
  • informing and training all involved parties on their data protection obligations
  • performing data protection impact assessments
  • communication with the supervisory authorities (i.e. the Information Commissioner’s Office) as well as data subjects
  • supervising the high-risk activities involved with data processing
  • the accountability of the data processing and record keeping
  • raising awareness and fostering the data privacy culture within the organization

Does Your Company Need a DPO? When Should You Hire One?

Under GDPR, an organization must appoint a DPO when:

  • it is a public authority
  • it deals with regular and systematic data monitoring and processing at scale
  • it handles special data categories, including sensitive personal data or data on criminal convictions and offenses

In other cases, it is also highly recommended to have a person in place to supervise the data-related processes within the organization.

It is required to hire a DPO before GDPR takes effect in May 2018, so the sooner the better.

Who Can Be Appointed as a DPO?

The possible candidates for the role of a DPO include:

  • an in-house Data Protection Officer
  • an external Data Protection Officer contractor
  • a qualified technology consultancy (“DPO as a service”).

A Data Protection Officer roles and responsibilities can also be divided among several existing employees in-house until you find and hire a dedicated specialist for this position.

What are the Possible Implications for not Appointing a DPO?

Failing to appoint a DPO can be considered a direct violation of the GDPR requirements. In case of non-compliance, the organization will be subject to monetary penalties.

Let's connect.

Book a call

Book a one-on-one consultation with our business consultants