The role of a Data Protection Officer

“You’re fired!”

The General Data Protection Regulation (GDPR) protects Data Protection Officers (DPOs). If a company breaches the new data laws, firing the DPO won’t be an option!

  • A DPO is an organisation security leadership role required by the GDPR in certain circumstances. DPOs are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements

DPOs must be appointed for an organisation that has over 250 employees, all public authorities, and where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’. In addition to that, where the entity conducts large-scale processing of ‘special categories of personal data, such as race or ethnicity or religious beliefs. All data held by the organisation, whether it be employee data, data on customers or suppliers or just anyone’s data, must be covered by the data protection strategy implemented by the DPO.

  • A DPO is not personally responsible for non-compliance with the GDPR. The controller or the processor is required to ensure that the company’s data processing is performed in accordance with the regulations – Article 24

The DPO role comes with challenges. The ICO insists the DPO isn’t to be held accountable if decisions they make aren’t good for business.

“It’s a strange role that’s virtually un-sackable,” said Paul Lomax, an independent publishing consultant and recently the chief technology officer at magazine group Dennis. “You can’t give them guidance on or take issue with how they approach it [GDPR compliance]. Basically, you can’t fire them.”  (1)

If you were thinking of being a DPO, these are some of the requirements to qualify for the role:

  • Article 37 of the GDPR does require a Data Protection Officer to have “expert knowledge of data protection law and practices.”
  • Expertise in national and European data protection laws and practices including an in-depth understanding of the processing operations carried out
  • Knowledge of the business sector and the organisation
  • Ability to promote a data protection culture within the organisation
  • The Regulation also specifies the DPO’s expertise should align with the organisation’s data processing operations and the level of data protection required for the personal data processed by data controllers and data processors
  • DPOs may be a controller or processor’s staff member and related organisations may utilise the same individual to oversee data protection collectively, as long as it’s possible for all data protection activities to be managed by the same individual and the DPO is easily accessible by anyone from any of the related organisations whenever needed
  • Have an understanding of IT infrastructure, data security, technology, and technical and organisational structure
  • Have excellent organisational and management skills

What considerations are there when hiring a DPO?

  • Companies and organisations need to have their DPOs in place before the Regulation goes into effect, so it’s important to begin recruiting and hiring DPOs sooner rather than later in order to secure the most qualified professionals for the role, as they’re sure to be in high demand as the deadline looms (25th May 2018)
  • You’ll need to ensure they have expertise in data protection law and practices and a complete understanding of your IT infrastructure, technology, and technical and organisational structure. You may designate an existing employee as your DPO, or you may hire a DPO externally
  • Companies and organisations should look for candidates that can manage data protection and compliance internally while reporting non-compliance to the proper Supervisory Authorities
  • Ideally, a DPO should have excellent management skills and the ability to interface easily with internal staff at all levels as well as outside authorities. The right DPO must be able to ensure internal compliance and alert the authorities of non-compliance while understanding that the company may be subjected to hefty fines for non-compliance

What tasks will a DPO have to perform?

According to Article 37, the DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.

These are:

  • To inform and advise the controller or the processor and the employees who are
    processing personal data of their obligations pursuant to the regulation
  • To monitor compliance with the regulation, including the assignment of responsibilities, awareness-raising and training of staff involved in the processing operations, and the related audits
  • To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35
  • To cooperate with the supervisory authority (the ICO in the UK)
  • To act as the contact point for the supervisory authority on issues related to the processing of personal data

The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support.

There is certainly a lot to learn and do when GDPR comes into force. Training and awareness at all levels need to start now. Do you need any advice? Contact us today.

Read the full article:

GDPR Article 24

GDPR Article 35

GDPR Article 37

GDPR Article 39


Also recently published