What is a Data Protection Officer (DPO)?
The “new” European law, GDPR, was implemented over a year ago. At this point, what do you really know about it?
This is a complex law, prone to different interpretation. But, today, we are just teaching you about what a DPO (Data Protection Officer) is and what are its responsibilities and requirements.
Most small businesses don’t need a DPO, unless their core business is data monitoring on a large scale.
Keep reading to learn more about DPOs.
Definition of Data Protection Officer
A data protection officer (DPO) is a corporate security leadership role which the General Data Protection Regulation (GDPR) requires.
Data protection officers are responsible for overseeing a company’s data protection strategy. They also monitor its implementation to ensure compliance with GDPR requirements.
Does your company really need a Data Protection Officer?
You only need to appoint a DPO if your organization processes or stores personal data of EU citizens on a large scale.
DPOs must be, “appointed for all public authorities, and where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data,’” such as race, ethnicity, or religious beliefs.
The GDPR law indicates that the size of an organization doesn’t dictate the need for a DPO, but rather the size and scope of data handling. The GDPR doesn’t specifically define what it considers to be “large scale” data handling. However, to determine the need of a DPO, governing authorities are using these four key factors:
- Data subjects;
- Data items;
- Length of data retention;
- The geographic range of processing;
The guidelines aren’t really specific, but most small businesses won’t need to hire a DPO unless their core focus is data collection or storage (e.g. behavioural advertising).
Data Protection Officer’s Responsibilities and Requirements
All companies that collect or process EU citizens’ sensitive data, on a large scale, regularly and systematically, should appoint a data protection officer, under Article 37 of the GDPR.
As outlined in the GDPR’s Article 39, the DPO’s are responsible for, among other things, the following:
- Educating the company and employees on important compliance requirements
- Training staff involved in the data processing
- Conducting audits to ensure compliance and address potential issues proactively
- Serving as an intermediary between the company and GDPR Supervisory Authorities
- Monitoring performance and providing advice on the impact of data protection efforts
- Maintaining comprehensive records of all data processing activities conducted by the company. These include the purposes of all processing activities, which must be made public upon request
- Interfacing with data subjects to inform them about how their data is being used, their right to have their personal data erased, and what measures the company has put in place to protect their personal information