GDPR Fundamentals: Data Protection Officers

by Mark Hinely / September 7th, 2018

Most organizations who are required to comply with GDPR will have a Data Protection Officer (DPO). The requirement to have a DPO applies if you are a public authority, if your regular activities require large-scale and systematic monitoring, or if your core activities consist of large-scale processing of special categories of data.

Qualifications of a Data Protection Officer

When hiring a DPO, GDPR specifies that the individual must have the required expertise and experience not only in data protection, but in the corresponding processing activities. So, if an organization is a payment processor, their DPO should have familiarity with both financial transactions and the corresponding data protection regulations.

Responsibilities of a Data Protection Officer

GDPR describes several tasks for a DPO to perform, including:

  1. Inform and advise its organization on how to involve employees with GDPR obligations
  2. Monitor and review compliance with GDPR and other data protection laws
  3. Advise and monitor Data Protection Impact Assessments
  4. Be the primary point of contact for supervisory authorities
  5. Cooperate with supervisory authorities in the course of an investigation or inquiry

What a Data Protection Officer Needs

From an organizational perspective, you must provide your DPO with a few things:

  • A DPO must have independence to perform their tasks. They cannot be unduly influenced to bring a specific outcome.
  • A DPO must be accessible both to internal employees and to data subjects.
  • DPOs must also have requisite resources to perform their tasks; this could mean time, money, training, or other resources.

So, what have we learned about DPOs? A DPO is an individual that has expert knowledge of data protection laws, is independent from an organizational perspective, cannot be told how to do their job, and cannot be penalized for doing their job. This could be a person who’s also fulfilling other roles within an organization (without a conflict of interest), but it could also be an outside contractor. Most organizations are going to require a DPO.

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcript’ tags=”]

GDPR requires certain organizations to have Data Protection Officers. The requirement applies if you are a public authority or a body; your regular activities require large-scale, regular, and systematic monitoring of individuals (i.e. tracking online behavior); or your core activities consist of large-scale processing of special categories of data or data related to criminal convictions or offenses. For example, a hospital who’s processing large-scale quantities of healthcare data would require a Data Protection Officer. From a professional perspective, most organizations are going to require a Data Protection Officer.

GDPR specifies the qualifications of a Data Protection Officer in a limited capacity. The law says that Data Protection Officers should have the required expertise and experience with data protection laws. Guidance also indicates that Data Protection Officers should have experience and expertise that corresponds with the processing activities of their organizations. A couple of examples are: if an organization performs complex artificial intelligence review of advanced cybersecurity threats, then their Data Protection Officer should have familiarity with both artificial intelligence and cybersecurity threats and the corresponding laws. If an organization is a payment processor, then the Data Protection Officer should have experience with both financial transactions and the corresponding financial laws that govern those financial transactions.

GDPR specifies five tasks for a Data Protection Officer to perform. First, a Data Protection Officer must inform and advise its organization on including its employees on the company’s GDPR obligations. Second, a Data Protection Officer must monitor and review compliance with GDPR and other data protection laws. That includes reviewing an organization’s internal policies and procedures, as well as raising awareness of data protection issues, training staff, and conducting internal audits. Third, a Data Protection Officer should advise and monitor Data Protection Impact Assessments. Fourth, Data Protection Officers are a primary point of contact for supervisory authorities. Fifth, Data Protection Officers much cooperate with supervisory authorities in the course of an investigation or an inquiry.

A Data Protection Officer must have the requisite independence to perform their tasks. They cannot be unduly influenced by senior management to come out with a specific outcome regarding advice or a compliance review or input into a Data Protection Impact Assessment. A Data Protection Officer can be both an internal candidate or a contracted party. Either way, a Data Protection Officer must be accessible both to internal employees and to data subjects. One of the ways that an organization can make their Data Protection Officer available is to publish their contact information on a corporate web page, for example. The can also notify their supervisory authority about the identity of their Data Protection Officer.

Data Protection Officers must also have requisite resources to perform their tasks. That means that they have to have enough time to do any other job that they do along with enough time to perform their responsibilities as a Data Protection Officer. They may require financial resources; they may require hardware and software resources; they may require staff to perform their tasks. The Data Protection Officer responsibilities cannot be delegated among multiple individuals, but the Data Protection Officer can receive support form individuals within the organization to fulfill their responsibilities. Finally, a Data Protection Officer might require resources such as training and ongoing education around GDPR and other data protection laws. As I said at the beginning, most organizations are probably going to require a Data Protection Officer. For more guidance on the requirements and responsibilities of a Data Protection Officer, see the Article 29 Working Party guidance on Data Protection Officers.

[/av_toggle]

[/av_toggle_container]