Article

The Inside Job: GDPR’s Data Protection Officers

What does a DPO do and which organisations need one?
Posted:
March 30, 2017

The European Union’s General Data Protection Regulation describes a curious role—one that so far has been unknown to the majority of organisations in the world: the data protection officer.

A data protection officer is a person who is nominated by an organisation to monitor its compliance with data protection laws. In simpler terms, the DPO is the organisation’s data protection watchdog.

GDPR dedicates a whole section to the DPO, who is also mentioned in a number of other places. By directly reaching into the structure of organisations, the authors of the GDPR wanted to leave no doubt that data protection is serious business now.

Many organisations the world over will be required to have a DPO from 25 May, 2018, the day the GDPR becomes effective.

The Job of the Data Protection Officer

The function of the DPO is to:

  • Check if the organisation is in compliance with data protection rules
  • Inform the organisation of violations of data protection rules (and ways to fix them)
  • Advise the organisation on new projects with regards to data protection
  • Be able to demonstrate the organisation’s compliance to data protection authorities
  • Act as an intermediary between her organisation, data subjects, and data protection authorities

In real life, DPOs’ tasks will include additional data protection-related tasks, such as the creation of the Directory of Procedures, review of external audit results, etc.

The DPO’s function overlaps with that of corporate cybersecurity officers and similar functions. The main differences are:

  • Cybersecurity is only one aspect of data protection. The DPO also has to monitor compliance to other aspects of data protection: data minimization, rights of the data subjects, etc.
  • You are basically free to set up a corporate cybersecurity officer function or not. But in many cases, setting up a DPO is mandatory.

Is My Organisation Required to Have a DPO?

GDPR requires an organisation to nominate a DPO if the organisation a) processes (receives, stores, manipulates, queries, etc.) personal data relating to residents of the European Union, and b) additionally fulfills one or more of the following criteria:

  1. The organisation is a public organisation (agency, government body).
     
  2. The organisation performs “core activities” that “require regular and systematic monitoring of data subjects on a large scale”. Think: banking (has to perform anti-money laundering checks), telcos, organisations that perform video surveillance.
  3. The organisation performs “core activities” that “consist of processing on a large scale” one of the following categories of especially sensitive personal data:
     
    1. “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for […], data concerning health or data concerning a natural person's sex life or sexual orientation” (Article 9). An example would be a company that checks genetic data for indications of health issues.
       
    2. “personal data relating to criminal convictions and offences or related security measures”.

Additionally, national law may require an organisation to provide a DPO even in cases where GDPR does not.

GDPR recommends creating a DPO function for your organisation voluntarily in cases where it is not mandatory.

Finally, if you have looked at all the above aspects and determined that your organisation does not require a DPO, you should under all conditions document the considerations that lead you to that decision.

What Are the Requirements of a DPO?

A DPO must have “expert knowledge of data protection law and practices”. Other than that, this person must be capable of carrying out the tasks outlined above.

What Do I Have to Do for My DPO?

You need to provide your DPO with everything she needs to get the job done. That can mean material things like an office and a PC, but it also means access to all information she needs to do the job, including on confidential or secret projects.

You must also not interfere with the DPO’s job, such as telling her to not look at certain activities too closely. To avoid conflicts of interest, a DPO usually cannot be a board member, unless the board position is limited to DPO functions.

You must actively involve the DPO in any new projects that have even the remotest bearing on personal data.

The DPO is always only one single person, but if necessary, a whole group of people must be provided to assist her in the job. In a small company, the DPO herself may be reviewing compliance reports, project descriptions, and the result of security audits herself. In a larger organisation, she may have others sift through that information and provide a condensed version to her.

Can the DPO Be External?

Yes, the DPO can be an external service provider. In fact, as the International Association of Privacy Professionals has estimated, GDPR will create a global demand for around 75,000 DPOs worldwide, and it is unlikely that they will all be drawn from the ranks of the organisations’ employees.

If We Don’t Like the DPO’s Opinion, Can We Just Fire Him?

Only if you can prove that she is not doing her DPO job well. If she tells you your organisation is completely failing GDPR standards, she may be doing her job well—and you are not allowed to fire her.

If My Organisation Does a Bad Job at GDPR Compliance, Can I Hold Our DPO Responsible?

No. The DPO’s job is to point out to you what is right and wrong with respect to GDPR compliance. Following up on that is up to your organisation.

What’s the Benefit for My Organisation?

While the obligation to name a DPO and provide them with the necessary powers initially seems like a cost factor, your organisation will gain benefits:

  • Your own data protection expert
  • A “second set of eyes” on your cybersecurity
  • Reduced compliance worries
  • For large corporations, a single interface to handle data protection authorities
  • A review of your data flows at no extra cost
  • Identifying data protection issues before they cause damage to your customers and your reputation  
  • More trust from customers and potential customers

Too Long; Didn’t Read

If you are a public agency, process a lot of data, or process sensitive data, you need to have a DPO from 2018 onwards.

Get a Free GDPR Consultation

During a free 30-minute call,  the GDPR experts at HelpSystems will answer your questions and help determine what steps to take next.