✓ The Appointment
General Data Protection Regulation (GDPR) is a privacy protection law that has far-reaching implications. And at the root of it all are the significant structural changes that the organisations have to make to be compliant with the GDPR.
The compliance cost is huge, and no one wants to be on the wrong side of GDPR.
Appointing a Data Protection Officer (DPO) happens to be one such requirement. However, it is not an entirely fresh concept. Many organisations already have such a role in place either as a mandatory requirement in their country or to set the industry benchmark. But, for the first time, outsourcing a DPO has become a compulsory requirement for such a large pool of organisations.
Under GDPR, is it compulsory for every organisation to hire a data protection officer? What are their roles and responsibilities? Who do they report to?
Many such questions are still lingering in the minds of the executives who have been entrusted with the task of making their respective organisations GDPR compliant. Everything one needs to know about a DPO is present here.
Who is a Data Protection Officer (DPO)?
A DPO is a leadership position in the GDPR document. The primary responsibility of the DPO is to make sure that a proper GDPR strategy is in place in organisations. Another way to look at their responsibility is to supervise its smooth implementation. It is necessarily an executive-level position in organisational data management and security.
Does Every Company Need a DPO?
To hire a Data Protection Officer is essential when an organisation falls into one of the following categories:
If a public authority is processing the user data, then they have to appoint a Data Protection Officer (DPO).
- Core Data processor and controllers:
Organisations that carry out ‘regular and systematic processing’ of data as their core activity must also fulfil this mandatory requirement.
For data processing to be considered a core activity, it should be critical to the operations and goals of the organisation. For instance, IT and HR management are support functions and not the core activities of an organisation.
Then, there is the term ‘regular and systematic’ which means at regular intervals. As per a pre-determined arrangement, monitoring of data subjects, profiling them, and so on.
Although, it is irrelevant whether the collection and systematic monitoring of data are taking place online or offline. Once the data is collected and is being processed, it comes under the purview of the GDPR.
- Large-scale data processor and controllers:
Organisations that process data of data subjects on a large-scale also have to appoint a Data Protection Officer (DPO) as a mandatory requirement.
Again, article 29 working party states that to be considered a large-scale processor, it is not just the volume of the data that is being processed is under consideration. Multiple other factors must be taken into account. These factors include:
- Number of data subjects
- A volume of data processed
- How long the data is processed
- Geographical coverage of the data being processed
- Processing Sensitive Data:
Another set of organisations that fall under the purview of GDPR are those who are data controllers and processors of sensitive data on a large scale. The sensitive data can include data related to children, health-related information, criminal convictions, and so on. If an organisation falls under the above categories, then it would be crucial for it to appoint a DPO. An organisation can also voluntarily appoint a DPO.
- Appointment, Responsibilities, and Liabilities of a DPO
Once the organisation has ascertained, it must appoint a DPO. To understand the roles and responsibilities of a DPO under GDPR is the next step now.
A DPO should be appointed on the bases of professional competence and more importantly, the knowledge of data protection and privacy landscape. The knowledge of the DPO should be a function of the nature of the data processing operations and the degree of protection required.
Having a complete understanding of the data processing operations of the organisation is a must for a DPO and also should have expert knowledge of data protection laws of the country as well as GDPR. A Data Protection Officer (DPO) can be internal as well as external.
✓ The Responsibilities
A Data Protection Officer (DPO) should be involved in every issue related to data protection law and practices from the beginning since it is their responsibility to ensure compliance with GDPR.
They have to create processes and oversee the security of the data and to conduct periodic data protection impact assessments. Since the primary role of a DPO is to monitor an organisation’s compliance with GDPR.
They cannot be designated on any other position within the organisation.
✓ The Liability
It is critical that organisations have complete clarity over who is held liable in the case of non-compliance. An interesting point here is that the DPO cannot be personally held responsible.
If there is a breach of the regulation, it is still the data controller and processor that will be held liable. Of course, it is the organisation’s call to determine if they want to appoint another DPO, but that’s an entirely different matter altogether.
The data protection officer is an in-charge for the implementation of data protection policies and assurance of data policy management.
Data protection officer may have many responsibilities within the firm. This person is in charge and held accountable for the provision of the right actions to supplement compliance to the GDPR and the data protection law within the EU.
The DPO must overlook the reporting and management of a breach. They must work towards creating and following the best practices and benchmarks for privacy assurance. They may overlook processes in order to curb the possibilities of any breaches to occur.
The DPO must communicate with relevant parties in order to comply with the data protection law. They may even answer any data subject access requests if they arise. Any person looking to request subject access may connect to a DPO for help.
A good DPO manages the policy in order to comply. They also help in creating awareness to help with the smooth application process. Compliance is an ongoing effort, never a one-off thing.
- Your own organisation
- outside of the organisation
- full-time work basis
- Or a part-time basis
The Way Forward
An organisation has to know whether they have to appoint a DPO under GDPR mandatorily or not. If they do not have to, they can still create a position.
However, they should know that even if they choose to appoint a DPO by choice, they will have to abide by the same set of rules as an organisation For that very reason appointing DPO is essential.
If an organisation is not required to and does not want to appoint a DPO, it is recommended that they do document the reason for not doing so.
Given the hefty amounts of fines amounting up to €20 million or 4% of the global turnover, appointing a Data Protection Officer (DPO) is a smart decision on the part of the organisations.
They must have a dedicated professional looking after the GDPR compliance and raising a red flag whenever there is an infringement or any potential of it. A DPO appointment also wor