Data Protection Officer (DPO) Under GDPR

The General Data Protection Regulation (GDPR) was implemented on May 25, 2018, to safeguard the privacy rights of people in the European Union (EU). It requires data controllers and processors to follow specific standards to protect the data subjects’ personal data. One such requirement is designating a Data Protection Officer (DPO) to monitor compliance in an organization. Articles 37, 38, and 39 of GDPR list the designation, position, and tasks of a DPO.

This article explains the role of a Data Protection Officer in an organization and what qualifications they must hold to lead the organization to comply with the GDPR.

GDPR under certain conditions requires an organization to appoint a single DPO who can monitor and assess its compliance. The DPO is the face of an organization when it comes to data protection. The organization should make sure the DPO has all the necessary resources to perform their duties. Also, they should be reporting to the highest management level. 

The DPO could be a dedicated position in the organization or an existing employee. If it is a current employee, then ensure that their duties align with that of DPO’s. It should not lead to a conflict of interest. DPO could have a team of data protection specialists if it is necessary. Also, multiple organizations can share a single DPO. The contact details of a DPO should be readily available for communication with the supervisory authority.

There is a misconception that the requirement for an organization to appoint a DPO is its size. However, this is not true. It depends on the core processing activities of your organization. You must appoint a DPO if:

• You are a public authority or body;
• The core processing activities involve large-scale and regular monitoring of data subjects;
• It processes special categories of data in large scale; or
• It processes data related to criminal offenses or convictions.

A Data Protection Officer’s role is akin to that of a leader. The DPO must lead the organization towards protecting the rights of its customers. Following are the roles and responsibilities of a DPO:

• Inform and make aware everyone in an organization of their obligation towards the GDPR compliance;
• Supervise and train the staff on following the Regulation standards;
• Monitor the organization’s processing activities;
• Keep records of all processing activities;
• Regularly conduct compliance-related audits and data protection impact assessment;
• Be the point of contact between the organization and the respective supervisory authority and data subjects.

GDPR does not mention specific academic requirements for a DPO. However, it maintains that the appointed DPO should have the following professional credentials:

• Experience and expert knowledge in data protection laws;
• DPO’s professional credential should align with the type of processing;
• Sound understanding of the organization’s ventures and it’s processing activities;
• Aware of the organization’s data protection needs.

DPOs have a huge responsibility, and they must be bound by secrecy and confidentiality when it comes to their duties. Therefore, choosing a Data Protection Officer should be done after extensive research and consideration. If they fail to do their job properly, then it is the organization that will bear the consequences.