The role of the DPO
The role of the DPO, what it is, who needs one and designates in the right person for the job.
For GDPR compliance, generally most larger organizations, we’ll need a data protection officer or DPO and most smaller ones won’t.
Here’s the detail.
A DPO is mandatory in the following three cases:
Firstly, when the controller or process, it is a public authority or body or acting as warm.
Secondly, if the cook activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale.
And lastly, if the core activities of the controller or the processor consist of processing on a large scale of special categories of data. So, talking about highly sensitive data such as political affiliations of sexual preferences or personal data relating to criminal convictions and offenses, accordance that he uses.
Article 29 working party, which is the group that creates the GDPR guidance core activities can be considered as the key operations necessary to achieve the controllers or processors goals. So really we’re talking about the data processing is at the heart of the organization’s ability to operate. So think about a hospital or private security firm that needs that data. Now the large scale is a woolly term and it’s up to the data controller or processes to determine whether it applies to them based on factors such as the number of subjects, records, geography, and duration of the activity.
So examples of large scale monitoring our hospital’s search engines and insurance company, customer data. Now examples that do not constitute large scale monitoring or the processing of data by an individual doctor or accountant or the processing of personal data relating to criminal convictions and offenses. By an individual lawyer.
So you can really summarize the three types of organizations that need a DPO as government services. So think about a council authority here. A note that the article 29 working party recommends private companies that provide similar public functions do nominate a DPO. So they’re not strictly a government department or a local government department, but they might act like one.
So think about organizations like a housing association, a water supplier, or an energy supplier. So secondly, think about if your data is at the core of your organization and a large scale. So like a bank or a web analytics company or a hospital.
If data is your lifeblood and our large scale, then you will need a DPO.
And lastly, if you handle a lot of sensitive data, you know what we call special categories of data. So all three of these are where we will need a DPO.
Now a few of the things to note at DPA may also be mandatory under country state laws and all the compliance regimes. Now in the UK as of April 2017, we have yet to hear this local country guidance for the UK and then the other EU country, but that will be coming. Now if an organization is not mandated to assign a DPO but does voluntarily than the requirements of the DPO or the same as if the role was required in the first place.
For organizations that decide they do not require a DPO, the article 29 working party recommends an internal analysis.
This decision is carried out and documented to demonstrate all the relative factors have been taken into account properly. So what does a DPO actually do?
Firstly, the DPO is not responsible, so I’ll say it again. The DPO is not responsible or accountable for GDPR compliance. This duty falls on the organization itself. The DPO is there to assist the organization in maintaining data protection compliance. They should offer expert guidance, support, data protection, impact assessments, and audits and act as the intermediary between data subjects, the organizations, business units, and the supervisory authority. Now the DPA will be front and center in the event of a data breach and must have a deep understanding of the organization’s data protection. The DPO contact details must also be publicly available for data subjects to access, for example, on a public privacy policy page on the website and employees should know who the DPO is and how to engage with them.
That’s critical. Now Day today, the DPO is the internal or authority on data protection guidance for all activities involving personal data. Therefore any new project architecture design or plan that includes personal data should have the input from the DPO in turn.
Availability of the DPO for all teams is essential. Everyone needs to be able to get a hold of them. The DPO guidance does not necessarily need to be followed, but if it isn’t, then this should be explicitly documented as to why and the risk assessments made.
The DPO can sit in any business unit where there isn’t a conflict of interest and must have a direct feed into the top level of management. Now the volume of work required from a DPO will vary massively from organization to organization. A smaller company may require one or two days of DPO input per month. Now I know that may require a fulltime DPO with large support and team underneath them.
Under resource in the DPO role be a very careless mistake, especially if the regulator comes knocking. Now crucially, the DPO must be a true expert on the GDPR, whether they are trained lawyer, a compliance manager, or an external consultant. They need to know the GDPR inside out and how to comply with it in the real world. No specific qualifications required for a DPO. But in addition to expert GDPR knowledge, there must also have strong skills and information security, project management, business and organizational nuances for administrative rules and procedures.
In summary, the DPO is your expert GDPR advisor ready to work with project teams, assessing compliance. And the happy to face the supervisee or authority in the event of a data breach. The DPO has wide skill sets and reports directly to the executive board.
For helping your research, you can download the DPO job description template here.