Data Protection Officers, or DPOs, are data protection professionals that are mandated by the recently-enacted General Data Protection Regulation (GDPR) in the European Union. This article will detail who needs to hire DPOs, the responsibilities of DPOs and management guidelines for DPOs. Even though GDPR is an EU regulation, the nature of data is truly worldwide and the effects of GDPR will reach organizations and entities beyond the borders of the EU.
Who Needs to Hire Data Protection Officers?
The text of the GDPR lays out which businesses and organizations are required to hire a DPO. Organizations need to hire a DPO if:
- More than 250 employees are in the organization
- Data processing is on a large scale — this means that the data that is collected, stored, processed or used affects a large population of people
- Data processing is conducted by a public body or authority
- Sensitive data is processed — including health, geolocation, trade union member, genetic information, sexual orientation or data relating to children
- Data processing of a type of data relating to criminal offenses
- You are tracking and monitoring data systematically
- You systematically process and monitor data that includes Internet traffic, visitors, IP addresses and so on
In practice, this applies to social media companies, companies that offer software-as-a-service (SaaS), health care service companies, educational institutions and generally any company that processes large amounts of personal data. As you can see, many medium- to large-sized organizations will have to hire a DPO to meet compliance with GDPR.
Responsibilities of Data Protection Officers
To better understand how to manage DPOs, it is important to first know what the various responsibilities of the role are. Below is a list of the most important responsibilities that management must hold their DPOs to:
- Ensure that data subjects and controllers are rightly informed about data protection rights, responsibilities and obligations, as well as raising awareness about these issues
- Make GDPR-based data protection goals and responsibilities and ensure that the company follows them
- Advise and make recommendations about application/interpretation of data protection goals/principles to the organization
- Record-keeping of data protection and documentation of those that present risks (prior checks)
- Ensure compliance and assist with internal accountability (audits are big here)
- Handle complaints or queries offered by the organization
- Cooperate with relevant authorities in response to queries and complaints
- Create and conduct regularly-reviewed Data Protection Impact Assessments
- Create and coordinate Data Processing Agreements with third parties
- Create privacy, cookie and other data-related policies
- Train organization staff that are involved with data processing
With the role’s responsibilities established, we can now examine how to best manage the role of DPO. The following management guide will walk you through how to best manage your DPO through the lens of their role in the organization.
What can be considered the most important aspect to a DPO is their independence within an organization. This does not mean that they can just do whatever they want but rather that the DPO has the independence to meet their various job responsibility criteria without undue influence from the organization. In practice, this means that the DPO must be able to perform their duties without fear of being penalized or dismissed for performing said duties. These duties extend to working with outside authorities and third parties regarding breaches and non-compliance issues.
DPOs must be closely involved with all data protection matters within the organization. This involvement must not be merely for show — this means that the DPO must be involved in a timely manner to have the most effective impact within the organization, thereby minimizing, mitigating and eliminating risk wherever possible.
The organization must hold the DPO responsible for their reporting duties. One of the most commonly-reported-to bodies within the organization is the board, which in turn highlights the importance of the role of DPO.
DPOs must be afforded appropriate access to personal data and data processing activities. This access must extend to other data-related activities and services in order to receive necessary support, input and information. In other words, the DPO must not be encumbered by organization access rules when performing their data-related job responsibilities.
The DPO must give advice to the organization with regard to creating and conducting Data Protection Impact Assessments, or DPIA. DPIAs must be conducted when data processing may result in “a high risk to the rights and freedoms of natural persons” (taken from the text of GDPR). This means that whenever the organization is going to create or implement a process which may result in a high data risk to personal data, a DPIA must be used and the DPO must have given advice about it. This highlights the importance of the independence of this role: Imagine how shady it would look if an organization were to conduct DPIAs without advice of their own DPO.
DPOs must create and maintain documentation related to their data processing activities. This duty extends to their DPIA processing, which is one of the most important and comprehensive responsibilities that DPOs must satisfy. As a rule of thumb, documentation is essential to compliance with important regulations today (such as HIPAA) and GDPR is no exception.
Not only do GPOs have many duties they must satisfy in the course of their work, organizations have some responsibility in this regard too. Organizations are required to give DPOs the support they require in order to carry out their role independent of the organization. This could include providing open channels of communication between the DPO and senior management, providing physical materials where needed and allowing the DPO the general freedom they require to perform the role’s responsibilities in an independent fashion. To this end, DPOs do not need to be micromanaged or line-managed, making their management more of an arm’s-length affair.
With the implementation of GDPR within the EU, Data Protection Officers have quickly assumed a very essential role within organizations that process large amounts of personal data within the EU. This is probably a new requirement for many organizations, especially smaller ones, and this may take some time to adjust to. Follow the guidelines above and your organization will be well on the way to meeting compliance with GDPR.
- A Complete Guide For Hiring A GDPR Data Protection Officer (DPO), ECOMPLY.io
- How To Hire A Data Protection Officer, Forbes
- GDPR Privacy Impact Assessment, Intersoft Consulting
- Data Protection Officer (DPO), European Data Protection Supervisor