What is a Data Protection Officer (DPO)?

Data Security Knowledge Base

Learn About the New Role Required for GDPR Compliance

Text

A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

What Companies Need Data Protection Officers?

Text

Put forth by the European Parliament, the European Council, and the European Commission to strengthen and streamline data protection for European Union citizens, the GDPR calls for the mandatory appointment of a DPO for any organization that processes or stores large amounts of personal data, whether for employees, individuals outside the organization, or both. DPOs must be “appointed for all public authorities, and where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data,’” like that which details race or ethnicity or religious beliefs.

Data Protection Officer Responsibilities and Requirements

Text

The data protection officer is a mandatory role under Article 37 for all companies that collect or process EU citizens’ personal data. DPOs are responsible for educating the company and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and any Supervisory Authorities (SAs) that oversee activities related to data.

As outlined in the GDPR Article 39, the DPO’s responsibilities include, but are not limited to, the following:

Educating the company and employees on important compliance requirements

Training staff involved in data processing

Conducting audits to ensure compliance and address potential issues proactively

Serving as the point of contact between the company and GDPR Supervisory Authorities

Monitoring performance and providing advice on the impact of data protection efforts

Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request

Interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information

Qualifications for Data Protection Officers

Text

The GDPR does not include a specific list of DPO credentials, but Article 37 does require a data protection officer to have “expert knowledge of data protection law and practices.” The Regulation also specifies the DPO’s expertise should align with the organization’s data processing operations and the level of data protection required for the personal data processed by data controllers and data processors.

DPOs may be a controller or processor’s staff member and related organizations may utilize the same individual to oversee data protection collectively, as long as it’s possible for all data protection activities to be managed by the same individual and the DPO is easily accessible by anyone from any of the related organizations whenever needed. It is required that the DPO’s information is published publicly and provided to all regulatory oversight agencies.

Best Practices for Hiring a DPO

Text

Because companies that handle data of EU citizens are subjected to GDPR even if they are not located in the EU, it is predicted that tens of thousands of DPOs are needed for regulated organizations to achieve GDPR compliance.

To hire the right DPO, you’ll need to ensure they have expertise in data protection law and practices and a complete understanding of your IT infrastructure, technology, and technical and organizational structure. You may designate an existing employee as your DPO, or you may hire a DPO externally. Companies and organizations should look for candidates that can manage data protection and compliance internally while reporting non-compliance to the proper Supervisory Authorities.

Ideally, a DPO should have excellent management skills and the ability to interface easily with internal staff at all levels as well as outside authorities. The right DPO must be able to ensure internal compliance and alert the authorities of non-compliance while understanding that the company may be subjected to hefty fines for non-compliance.