So important is the General Data Protection Regulation that it has brought about a brand new occupation – the Data Protection Officer.
What is a Data Protection Officer?
The General Data Protection Regulation (GDPR) talks a lot about accountability and governance, requiring organisations to be more transparent about what it does with personal data.
“You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
“Information Commissioner’s Office”
This accountability and governance requires certain larger organisations to employ a Data Protection Officer (DPO) to oversee these practices.
Who needs a Data Protection Officer?
Employing a DPO would obviously not be appropriate for all organisations. So the Information Commissioner‘s Office has boiled down the necessity for a DPO to the following categorisations.
- Public authorities and bodies (except certain courts);
- Organisations whose core activities consist of regular and systematic monitoring of data subjects on a large scale; and
- Organisations whose core activities consist of processing special categories of data on a large scale
While the above organisations are legally required to appoint a DPO, some businesses may want to voluntarily appoint one.
What are the main responsibilities and duties of a DPO?
A DPO is considered to be an enterprise security role, leading the compliance of the GDPR of an organisation.
The DPO’s minimum tasks are defined in Article 39 of the GDPR:
‘To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.’
‘To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.’
‘To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).’
In addition to these tasks, the DPO must ensure that they are reporting at board level, or whatever the highest level of your organisation happens to be.
In effect, they operate independently of the organisation as a whole, and as such, must have their employment protected. This means that they cannot be dismissed or penalised for simply doing the job of a DPO. In addition to this, the organisation must provide the data protection officer with all of the resources they need to meet the above responsibilities and duties.
So what does it take to become a DPO in this new world of the GDPR?
While there are no formal qualifications to become a DPO, although we have documented some official training on the GDPR itself on our GDPR resources page, the right candidate would be required to have certain qualities and knowledge.
The DPO needs to have proven integrity and high professional ethics to be able to ensure an organisation is prepared for and then continues to practice GDPR.