Understanding the role of the Data Protection Officer
24 September 2018
Tony Richards, group CISO at the Falanx Group talks us through what should the role of the Data Protection Officer be and should your organisation hire one.
It has been just over three months since the European General Data Protection Regulation (GDPR) came into force, however a recent study has highlighted that many organisations are yet to achieve compliance.
These organisations have obviously come to realise that compliance cannot be achieved overnight. It is an ongoing process which affects many different areas of business and takes a long time to get in order. With expanded territorial reach and rules around data consent, to gain compliance many organisations need to re-examine their policies and procedures to ensure they are handling their data correctly and are not breaking any of the regulatory requirements.
Aside from the new rules GDPR has created, the regulation has also introduced a new obligation for certain organisations to appoint a Data Protection Officer (DPO). However, as this is an entirely new role, many organisations are still trying to understand what the job entails and if their organisation even needs one.
So, what is the role of the DPO and should your organisation hire one?
Also of interest: Data breaches and the blame game
The role of the DPO
The DPO should be an expert in European data protection and security laws and should be able to provide an organisation with guidance on GDPR compliance, IT security and best practices for storing and processing data. The key role for the DPO is to assist an organisation with GDPR compliance, however the DPO is not accountable or responsible for GDPR compliance, as this falls on to the organisation itself.
The DPO is there to provide advice on how an organisation can achieve compliance and should help facilitate audits to ensure GDPR compliance is being upheld. In addition to monitoring compliance, advising on Data Protection Impact Assessments (DPIA) and carrying out or facilitating audits, DPOs also act as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects and business units within an organisation).
The data protection officer should be responsible for a number of important tasks within an organisation, which include:
- To inform and advise organisations and their employees, who hold and process GDPR-covered data, of their role to help achieve and maintain compliance.
- To monitor compliance with the regulation and help awareness-raising and training of staff who hold and process GDPR-covered data.
- To act as the point of contact and cooperate with the supervisory authority if there is a breach, audit, or issues/queries relating to GDPR.
- The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
- Additionally, the DPO shall in the performance of his or her tasks, have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
- DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.
Despite misconceptions, not all organisations are required to hire at DPO, in fact, it is only mandatory in three cases:
- Public Authorities – the processing of data is carried out by a public authority or body (except for courts acting in their judicial capacity).
- Large systematic monitoring of individuals – the core activities of the controller or the processor consists of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
- Processing large scale special data categories – the core activities of the controller or the processor consist of processing, on a large scale, special categories of data and personal data relating to criminal convictions and offences.
The role of a DPO is very important to help certain organisations achieve GDPR compliance. In summary, the DPO should act as an expert in European data protection and can help guide an organisation through the process to achieve compliance and provide advice and guidance to ensure it is maintained.