Learn about the DPO's role in managing organizational data protection and overseeing GDPR compliance in Data Protection 101, our information security fundamentals series of materials.
A DEFINITION OF DATA PROTECTION OFFICER
A Data Protection Officer (DPO) is a dedicated business security role that is required by the General Data Protection Regulation (GDPR). Data Protection Officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
WHAT TYPES OF COMPANIES NEED DATA PROTECTION OFFICERS?
Introduced by the European Parliament, the European Council and the European Commission to strengthen and streamline data protection for European Union citizens, the GDPR calls for the mandatory appointment of a DPO in any organization that processes or stores large quantities of personal data, for employees, people outside the organization or both. DPOs must be “designated for all public authorities, and where the main activities of the controller or processor involve “regular and systematic monitoring of data subjects on a large scale” or when the entity carries out large-scale processing of “special categories of data,” such as those detailing people’s race, ethnicity, or religious beliefs.
RESPONSIBILITIES AND REQUIREMENTS OF THE DATA PROTECTION OFFICER
When the GDPR comes into force on 25 May 2018, the Data Protection Officer will become a mandatory role under Article 37, this applies to all companies that collect or process personal data from citizens of the EU. DPOs are responsible for educating the company and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and the supervisory authorities (SAs) who oversee data-related activities.
As stated in Article 39 of the GDPR, the responsibilities of the DPO include, but are not limited to:
- Educate the business and employees on important compliance requirements
- Train staff involved in data processing
- Conduct audits to ensure compliance, and proactively address potential issues
- /
- Serve as a point of contact between the company and GDPR supervisory authorities
- Monitor performance and provide guidance on the impact of data protection efforts
- Maintain comprehensive records of all data processing activities carried out by the company, including the purpose of all processing activities, which must be made public upon request
QUALIFICATIONS REQUIRED FOR DATA PROTECTION OFFICIALS
The GDPR does not include a specific list of qualifications required for DPOs, but Article 37 requires a data protection officer to have “in-depth knowledge of data protection law and practice”. The Regulation also specifies that the expertise of the DPO must be aligned with the data processing operations as well as the level of data protection required for personal data processed by data controllers and data processors.
A DPO can be a staff member of a controller or processor, and the corresponding organizations can use the same person to oversee data protection collectively, as long as all data protection activities are managed by the same person and that the DPO remains easily accessible by members of the corresponding organizations whenever necessary. DPO information must be published publicly and provided to all regulatory oversight bodies.
BEST PRACTICES FOR HIRING A DPO
Since companies that process EU citizens' data are subject to GDPR even if they are not located in the EU, a study predicts that 28,000 DPDs will be needed for regulated organizations to be compliant to the GDPR when the law comes into force in May 2018.
Businesses and organizations must have their DPDs installed before the regulation comes into force. It is therefore important to start recruiting and hiring DPOs now in order to recruit the most qualified professionals for this position, because they are in high demand and the deadline is looming. To hire the right DPO, you need to ensure they have expertise in data protection law and practices, as well as a comprehensive understanding of your IT infrastructure, technology and technical structure and organizational. You can appoint an existing employee as DPO or call on an external DPO. Companies and organizations should look for candidates who can manage data protection and compliance internally, while reporting non-compliance to the relevant supervisory authorities.
Ideally, a DPO should have excellent management skills and be able to interact easily with internal staff at all levels, as well as external authorities. The right DPO must be able to ensure internal compliance and alert authorities of non-compliance, while understanding that the company may be subject to hefty fines for non-compliance.
