Data Protection Officer (DPO)

Data Protection Officer Definition

A Data Protection Officer (DPO) is a person who is held accountable for the organization’s GDPR compliance and their overall data security strategy. A DPO acts as the key intermediary between the organization, authorities, and data subjects (people sharing their data with the organization).

Appointing a Data Protection Officer is one of the GDPR requirements, which has taken effect in May 2018.

Data Protection Officer Qualifications

The position of a Data Protection Officer encompasses the following qualifications:

• in-depth knowledge of national, European, and international data protection legislation and practices
• a firm understanding of the GDPR requirements
• familiarity with the internal data processing operations within an organization
• a solid tech and data security background
• specific domain and business expertise

Data Protection Officer Duties

A Data Protection Officer is responsible for:

• GDPR compliance within the organization
• informing and training all involved parties on their data protection obligations
• performing data protection impact assessments
• communication with the supervisory authorities (i.e. the Information Commissioner’s Office) as well as data subjects
• supervising the high-risk activities involved with data processing
• the accountability of the data processing and record keeping
• raising awareness and fostering the data privacy culture within the organization

Does Your Company Need a DPO? When Should You Hire One?

Under GDPR, an organization must appoint a DPO when:

• it is a public authority
• it deals with regular and systematic data monitoring and processing at scale
• it handles special data categories, including sensitive personal data or data on criminal convictions and offenses

In other cases, it is also highly recommended to have a person in place to supervise the data-related processes within the organization.

It is required to hire a DPO before GDPR takes effect in May 2018, so the sooner the better.

Who Can Be Appointed as a DPO?

The possible candidates for the role of a DPO include:

• an in-house Data Protection Officer
• an external Data Protection Officer contractor
• a qualified technology consultancy (“DPO as a service”).

A Data Protection Officer roles and responsibilities can also be divided among several existing employees in-house until you find and hire a dedicated specialist for this position.

What are the Possible Implications for not Appointing a DPO?

Failing to appoint a DPO can be considered a direct violation of the GDPR requirements. In case of non-compliance, the organization will be subject to monetary penalties.