Data Protection Officer: Role, Requirements and Organising
The Data Protection Officer role has come into sharp focus on the EU’s General Data Protection Regulation (GDPR). Along with this, the market for data protection professionals is booming: the GDPR obliges certain organisations to appoint a separate Data Protection Officer (DPO) with the task of being an organisation’s internal expert in monitoring the processing of personal data and helping the organisation to comply with data protection rules.
The appointment of the Data Protection Officer is not an entirely new requirement. While some EU countries have had this obligation also prior to the GDPR, this requirement has now become an obligation for more and more organisations. Consequently, many organisations are now desperately looking for skilled and experienced Data Protection Officer. The The International Association of Privacy Professionals (IAPP) has conservatively estimated that at least 75.000 DPOs will be needed to manage EU citizens’ data around the world.
Staffing the Data Protection Officer role
The duty to designate the DPO can be directly based on an obligation under Article 37 of the GDPR, or an organisation may appoint one on a voluntary basis. According to Article 37, the controller and the processor shall designate a Data Protection Officer in any case where
the processing is carried out by a public authority or body
the controller’s or processor’s core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale, or
the core activities of the controller or the processor consist of processing on a large scale of special categories of data (Art. 9) or personal data relating to criminal convictions and offences (Art. 10).
In practice, many organisations appoint a DPO on a voluntary basis or at least a Data Protection Specialist, who is responsible for ensuring that data protection issues are duly considered in the organisation’s operations. However, it is important to note that an organisation that appoints a DPO voluntarily must still comply with the full range of DPO-related compliance obligations as if that appointment had been mandatory. When hiring data protection specialists other than a DPO, it’s important that they are not referred to as a DPO, for the aforementioned reason. A DPO is always a specific role with particular responsibilities under the GDPR.
It is important to note that the GDPR sets forth particular requirements as to the role, position, and tasks of a DPO within an organisation. A Data Protection Officer role and position within an organisation defined by three elements: monitoring and advice, independence, and privacy contact point. Therefore, it is important to guarantee a certain amount of independence and neutrality of the DPO, while at the same time embedding the DPO into the core data protection activities and privacy decision making of an organisation.If an organisation has a privacy team, the roles and responsibilities of its members and how it relates to the DPO should be clearly set out.
The GDPR leaves the decision-making to the organisations, on how to staff the Data Protection Officer role. The Data Protection Officer may be a staff member of the controller or processor, or the task could also be fulfilled on the basis of a service contract.
Privaon’s DPO services
Outsourcing the DPO is an easy way to organise and manage data protection issues, which benefits the organisation in a variety of ways. Privaon’s service portfolio includes a fully outsourced DPO (DPO as a Service), whereby the data protection resources can be flexibly dimensioned to meet unique organisational needs and data protection risks. If your organisation has already appointed a Data Protection Officer, Privaon can offer additional external resources (DPO Support) for the internal DPO by providing expertise whenever necessary.
The Privaon DPO service:
To learn more about Privaon’s DPO-services, visit DPO as a Service page.
Susanna Engblom, Senior Privacy Specialist