Learn about the DPO's role in managing organizational data protection and overseeing GDPR compliance in Data Protection 101, our series on the fundamentals of information security.
A Definition of Data Protection Officer
A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
What Companies Need Data Protection Officers?
Put forth by the European Parliament, the European Council, and the European Commission to strengthen and streamline data protection for European Union citizens, the GDPR calls for the mandatory appointment of a DPO for any organization that processes or stores large amounts of personal data, whether for employees, individuals outside the organization, or both. DPOs must be “appointed for all public authorities, and where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data,’” like that which details race or ethnicity or religious beliefs.
Data Protection Officer Responsibilities and Requirements
The data protection officer is a mandatory role under Article 37 for all companies that collect or process EU citizens’ personal data. DPOs are responsible for educating the company and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and any Supervisory Authorities (SAs) that oversee activities related to data.
As outlined in the GDPR Article 39, the DPO’s responsibilities include, but are not limited to, the following:
- Educating the company and employees on important compliance requirements
- Training staff involved in data processing
- Conducting audits to ensure compliance and address potential issues proactively
- Serving as the point of contact between the company and GDPR Supervisory Authorities
- Monitoring performance and providing advice on the impact of data protection efforts
- Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request
- Interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information
Qualifications for Data Protection Officers
The GDPR does not include a specific list of DPO credentials, but Article 37 does require a data protection officer to have “expert knowledge of data protection law and practices.” The Regulation also specifies the DPO’s expertise should align with the organization’s data processing operations and the level of data protection required for the personal data processed by data controllers and data processors.
DPOs may be a controller or processor’s staff member and related organizations may utilize the same individual to oversee data protection collectively, as long as it’s possible for all data protection activities to be managed by the same individual and the DPO is easily accessible by anyone from any of the related organizations whenever needed. It is required that the DPO’s information is published publicly and provided to all regulatory oversight agencies.
Best Practices for Hiring a DPO
Because companies that handle data of EU citizens are subjected to GDPR even if they are not located in the EU, it is predicted that tens of thousands of DPOs are needed for regulated organizations to achieve GDPR compliance.
To hire the right DPO, you’ll need to ensure they have expertise in data protection law and practices and a complete understanding of your IT infrastructure, technology, and technical and organizational structure. You may designate an existing employee as your DPO, or you may hire a DPO externally. Companies and organizations should look for candidates that can manage data protection and compliance internally while reporting non-compliance to the proper Supervisory Authorities.
Ideally, a DPO should have excellent management skills and the ability to interface easily with internal staff at all levels as well as outside authorities. The right DPO must be able to ensure internal compliance and alert the authorities of non-compliance while understanding that the company may be subjected to hefty fines for non-compliance.