The Role of the Data Protection Officer (DPO)

A data protection officer (DPO) is an enterprise data governance role which has been pushed into the limelight by the General Data Protection Regulation (GDPR), which comes into force on 25th May 2018. Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

1. What Kind of Companies Need Data Protection Officers?

The GDPR calls for the mandatory appointment of a DPO for any organisation that processes or stores large amounts of personal data, whether for employees or individuals outside the organisation, or both. DPOs must be “appointed for all public authorities, and where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data,’” such as details of race or ethnicity or religious beliefs.

2. DPO Responsibilities

From May 25, 2018, the data protection officer becomes a mandatory role under Article 37 of the GDPR for all companies that collect or process personal data of EU citizens. DPOs are responsible for educating the company and its employees on compliance requirements, overseeing training of staff involved in data processing, and regular privacy audits. DPOs also serve as the point of contact between the company and the Information Commissioners Office (ICO).

According to the GDPR Article 39, the DPO’s responsibilities include, but are not limited to, the following: -

• Educating the company and employees on important compliance requirements

• Training staff involved in data processing

• Conducting audits to ensure compliance and address potential issues proactively

• Serving as the point of contact between the company and GDPR Supervisory Authorities (ICO)

• Monitoring performance and providing advice on the impact of data protection efforts

• Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request

• Interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information

3. DPO Qualifications

The GDPR does not include a list of DPO qualifications, but Article 37 does require a data protection officer to have “expert knowledge of data protection law and practices.” The Regulation also specifies the DPO’s expertise should align with the organisation’s data processing operations and the level of data protection required for the personal data processed by data controllers and data processors.

DPOs may be a controller or processor’s staff member and related organisations can utilise the same individual to oversee data protection collectively. The DPO’s information is published publicly and provided to all regulatory oversight agencies.

Hiring a DPO

Because companies that handle data of EU citizens are subjected to GDPR even if they are not located in the EU, one study predicts that 28,000 DPOs will be needed for regulated organisations to achieve GDPR compliance when the law goes into effect in May 2018. Companies and organisations need to have their DPOs in place before the Regulation goes into effect, so it’s important to begin recruiting and hiring DPOs sooner rather than later in order to secure the most qualified professionals for the role, as they’re likely to be in high demand.

To hire the right DPO for your company, you will need to ensure they have expertise in data protection law and practices and a complete understanding of your IT infrastructure, technology, and technical and organisational structure. You may designate an existing employee as your DPO, or you may hire a DPO externally. You should look for candidates that can manage data protection and compliance internally while reporting non-compliance to the proper Supervisory Authorities (ICO).

Ideally, a DPO will have excellent management skills and the ability to interface easily with internal staff at all levels as well as outside authorities. The right DPO must be able to ensure internal compliance and alert the authorities of non-compliance while understanding that the company may be subjected to hefty fines for non-compliance.