It’s July 2019 and we’re well past the deadline for implementation of the GDPR, but there is still some confusion in organisations about the Data Protection Officer (DPO) role, and who needs to appoint a DPO. I’m going to try to clear things up in this short blog post.
Data Protection Officer Role
Firstly, what’s a DPO expected to do in your organisation? In short, the DPO essentially looks after data protection oversight and reporting. They should be a relatively senior person within your organisation.
The DPO’s main purpose is to monitor data protection legal and policy compliance within your organisation, including awareness raising, staff training, incident management, and process auditing.
They should be capable of providing ongoing advice and information on your organisation’s data protection obligations, data management activities, including being easily accessible to management and employees, and advising on and monitoring Data Protection Impact Assessments (DPIAs) and Breach Reporting.
The DPO must be registered with your national data protection supervisory authority, and act as the main point of contact on Data Privacy matters.
Does My Organisation Need to Have a DPO?
The rules around the types of organisation that need to have a DPO are relatively straightforward. There are three groups where a DPO is mandatory:
Any public authority or body, irrespective of the data processed;
Organisations handling data involving regular and systematic monitoring of individuals on a large scale;
Businesses or other organisations managing or processing personal data relating to criminal convictions and offences, or other so-called special category data (examples include data relating to race, ethnicity, religion, political opinions, biometrics, genetics, health or information relating to sexual preference).
Your DPO can be someone already within the organisation – once there is no conflict of interest with his or her existing professional duties. Alternatively, you can appoint a new, dedicated DPO, share a DPO with another organisation, or even better, the legislation allows organisations to outsource the role of DPO to an outside agency or service provider.
Outsourcing the role of DPO is the only realistic option for many organisations, and even makes sense for businesses and public bodies that could afford the luxury of employing a DPO in-house. A DPO-as-a-Service offering can be tailored to meet the specific data protection needs of most organisations, with additional benefits such as providing:
A practical and cost-effective solution to achieving GDPR compliance.
Access to Data Privacy compliance technology.
Access to broader DPO expertise.
Experience of best practice in achieving and maintaining GDPR and Data Privacy compliance.
Elimination of any concerns with respect to conflict of interest.
Tried and trusted data management policies and procedures, customised for your organisation.
PrivacyEngine provides a DPO-as-a-Service offering that can be tailored to meet the specific data protection needs of any organisation- find out more.
We’ve got more coming…
Want to hear from us when we add new articles? Sign up for our newsletter and we'll email you every time we release a new article, as well as other resources.