The concept of a Data Protection Officer was created in Europe as part of the General Data Protection Regulation. The obligation to appoint a Data Protection Officer must be considered, if any processing includes public authority, or there are processing of personal data with special categories on a large scale, or data processing which require systematic monitoring of data subjects. These companies must appoint an operational Data Protection Officer. The decision whether to appoint a fulltime operating Data Protection Officer at a company, or by several undertakings, appointing a single Data Protection Officer, depends on their own requirements to fulfill their obligations. Their appointed DPO must be easily reached by external stakeholders, supervisory authorities and employees.
The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities:
- DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
- The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
- A DPO can be an existing employee or externally appointed.
- In some cases several organizations can appoint a single DPO between them.
- DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.
Role of DPO
The primary role of the DATA PROTECTION OFFICER (DPO) is to ensure that his organization process the personal data of its staff, customers, providers or any other individuals in compliance with the applicable data protection rules.
Appointment of DPO
The appointment of a DPO must of course be based on his personal and professional qualities, but particular attention must be paid to the expert knowledge of data protection. A good understanding of the way the organization operates is also recommended.
Duties of the Data Protection Officer include:
- Acting on the compliance to all relevant data protection regulations.
- monitoring specific processes, such as data protection impact assessments.
- employee awareness and training employees, as well as collaboration with authorities.