DPO is an acronym for Data Protection Officer. A DPO is a person who is given formal responsibility for data protection compliance within an organisation.
Under the EU’s General Data Protection Regulation (GDPR), some organisations will be required to appoint a DPO. When appointed, the GDPR prescribes a framework around the roles and responsibilities of the DPO. But it is important to note that not all organisations will have to appoint DPOs and that the DPOs themselves will not personally be responsible for an organisations non-compliance with the GDPR. Data protection compliance is ultimately the responsibility of the controller or processor of the personal data.
So when will you need to appoint a DPO?
You must appoint a DPO if you are a public authority or body, if your core activities involve the relevant and systematic monitoring of individuals on a large scale or if your core activities involve the processing of sensitive personal data.
You don’t need a DPO if, for example, you:
- You use personal data once or twice a year to promote your local clothes shop
- You process personal data for internal payroll processing
You do need a DPO if, for example, you:
- You process patient data on fertility and genetics for a hospital
- You process personal data linked to people’s behaviour online for advertising purposes
A DPO needs to ensure that the personal data being kept by an organisation is secure from accidental loss, unauthorised use, theft and damage.
You can choose to voluntarily appoint a DPO, even if you’re not required to do so. But, be aware, if you do this then that voluntarily appointed DPO must comply with the full range of DPO-related obligations. In that case it may be better for you to appoint other staff to perform the tasks related to data protection compliance. If you do this make sure NOT to call them DPOs.
DPOs can be internal or they can be an external contractor, provided that the external DPO has sufficient knowledge of the organisation and the data processing activities the organisation undertakes.
What is the role of a Data Protection Officer?
The DPO must be involved, from the outset, in all issues related to data protection compliance. DPOs must monitor the organisation’s compliance and advise the organisation on data protection issues. They need to carry out data protection impact assessments, if the organisation is involved in high-risk processing activities. The DPO will also serve as the primary point of contact between the organisation and the supervisory authority responsible for implementing the GDPR.
As you can see the DPO’s role is extensive, including overseeing data protection activities, devising policies and procedures that will enable an organisation to be compliant with the GDPR, monitoring the implementation of these policies and procedures, ensuring staff are trained in data protection and the GDPR, and handling subject access requests for personal data. If a data breach occurs the DPO is to inform all affected parties and be the point of contact for supervisory authorities.
The exact responsibilities of a DPO will vary from organisation to organisation, depending on the collection, storage and processing of personal data taking place.
The DPO must have access to the most senior positions in an organisation. They must be autonomous and independent, and they cannot be dismissed for fulfilling their role as DPO.
So who can be a DPO?
The GDPR does not stipulate the credentials of a DPO, but it does state they need to be a person of high professional qualities with expert knowledge of data protection law and practices. Obviously, they’ll also need to be a good communicator and have some project management skills.
There are a number of private organisations that are beginning to provide DPO courses. The Spanish data protection authority (AEPD) is offering a DPO certification scheme in collaboration with their National Accreditation Entity (ENAC). The accreditation is not mandatory for Spanish DPOs, but does demonstrate that at least the AEPD feels DPOs should have special training. It will be interesting to see if other member state supervisory authorities do something similar.
If your organisation will need to appoint a DPO under the General Data Protection Regulation, it would be wise to get started now. There is less than a year to go.