The appointment of a data protection officer (DPO) is a critical aspect of GDPR compliance. According to GDPR, data controllers and processors who run processing operations which require regular and systematic monitoring of data subjects (members of the public) on a large scale or of special categories of data relating to criminal convictions and offences must hire a DPO. Article 38 of GDPR addresses the relationship between controllers and processes and their data protection officers directly; “the controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data”.
According to GDPR, a DPO:
- may be either be an existing member of staff at the organisation who is retrained to fill the role or an external service provider
- must be provided with the resources required to perform their role to an appropriate standard and maintain a good level of performance
- must report directly to the highest level of management in the organisation
- must not carry out any other tasks or roles within the organisation which may result in a conflict of interests
- must be hired as the DPO based on their professional record and knowledge on data protection laws and practices
Who Needs to Hire a DPO?
It is important to note that while GDPR is an EU law, any organisation that collects data within the EU are covered by the regulations, regardless of the physical location of its headquarters. Therefore, many international organisations which may have assumed that they were exempt from complying with GDPR must, in fact, hire a DPO. Ignorance of GDPR is not an excuse for non-compliance, and the fines are hefty; the maximum penalty is either a fine of €20 million or 4% of the company’s annual turnover-whichever is higher.
Organisations must understand GDPR’s definition of “personal data” while assessing whether or not they need to hire a DPO. Personal data ‘means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller’.
In general, large organisations (defined as having more than 250 employees) process large quantities of data, so are expected to hire a DPO. Similarly, all public authorities should hire a DPO. The situation is more complicated for smaller organisations; while small businesses are not required by GDPR to hire a DPO, there are some notable exceptions. If small businesses process large amounts of personal data, participate in large scale systematic monitoring of people, or if they process information that may fall into a “special class” of personal data, a DPO should be appointed. The special classes of personal data include:
- the racial or ethnic origin of a subject
- the political opinions or the religious or philosophical beliefs of the data subject
- trade-union membership of the data subject
- the physical or mental health condition or sexual life of the data subject
- biometric data
- genetic information
If a small business has the financial resources to appoint a DPO, it may be a good idea to do so, even if GDPR does not strictly require it. Although appointing a DPO may be costly initially, the expertise they provide in ensuring that the organisation remains fully GDPR- compliant is worthwhile considering the penalties levied against those found to violate the regulations.
Responsibilities of a DPO
The primary responsibility of a DPO is to ensure that the organisation protects the personal data of data subjects to the standards outlined in GDPR. A thorough understanding of privacy laws is fundamental to achieving full compliance with GDPR.
The other responsibilities of a DPO include:
- the education of staff on subject data rights and their responsibilities under GDPR
- advising to senior management regarding GDPR compliant business practices
- monitoring activities across the organisation to ensure they are GDPR compliant
- cooperation with the Lead Supervisory Authority
- assessing IT systems, computer networks and data protection safeguards to ensure they are of the required standard
- notifying data subjects in the event of a data breach
Aside from being a legal requirement for many organisations, the appointment of a DPO is essential for navigating the complexities of GDPR. DPOs are an integral part of implementing organisation-wide GDPR-compliance, ensuring that every aspect of organisational operations maintains personal data privacy.