What is a Data Protection Officer (DPO)? Learn About the New Role Required for GDPR Compliance in 2019
Learn about the DPO's role in managing organizational data protection and overseeing GDPR compliance in Data Protection 101, our series on the fundamentals of information security.
A Definition of Data Protection Officer
A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with GDPR requirements. The video clip below gives an overview of the role of a DPO, and is from our webinar, A Practical Approach to GDPR: Featuring IDC's Duncan Brown. You can watch the full webinar here.
Which Companies Need Data Protection Officers?
GDPR was put forth by the European Parliament, the European Council, and the European Commission to strengthen and streamline data protection for European Union citizens. It calls for the mandatory appointment of a DPO at every organization that processes or stores personal data for EU citizens. DPOs must be, “appointed for all public authorities, and where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data,’” such as race, ethnicity, or religious beliefs.
The language of GDPR indicates that the size of an organization is not what necessitates the need for a DPO, but rather the size and scope of data handling. Unfortunately, GDPR does not specifically define what they consider to be “large scale” data handling. However, there are four key factors that governing authorities are using to determine if a DPO will be required.
Those four factors are:
- Data subjects
- Data items
- Length of data retention
- Geographic range of processing
While there are not exact guidelines around the scale of data handling, most small businesses will not be required to hire a DPO unless their core focus is data collection or storage.
Data Protection Officer Responsibilities and Requirements
The data protection officer is a mandatory role for all companies that collect or process EU citizens’ personal data, under Article 37 of GDPR. DPOs are responsible for educating the company and its employees about compliance, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and any Supervisory Authorities (SAs) that oversee activities related to data.
As outlined in GDPR Article 39, the DPO’s responsibilities include, but are not limited to, the following:
- Educating the company and employees on important compliance requirements
- Training staff involved in data processing
- Conducting audits to ensure compliance and address potential issues proactively
- Serving as the point of contact between the company and GDPR Supervisory Authorities
- Monitoring performance and providing advice on the impact of data protection efforts
- Maintaining comprehensive records of all data processing activities conducted by the company, including the purposes of all processing activities, which must be made public on request
- Interfacing with data subjects to inform them about how their data is being used, their right to have their personal data erased, and what measures the company has put in place to protect their personal information
Qualifications for Data Protection Officers
The GDPR does not include a specific list of DPO credentials, but Article 37 does require a data protection officer to have “expert knowledge of data protection law and practices.” The regulation also specifies that the DPO’s expertise should align with the organization’s data processing operations and the level of data protection required for what is processed by data controllers and data processors.
DPOs may be a controller or processor’s staff member, and related organizations may utilize the same individual to oversee data protection collectively, as long as the DPO is easily accessible to anyone at those related organizations. It is required that the DPO’s information is published publicly and provided to all regulatory oversight agencies.
Data Protection Officers must not have a conflict of interest, meaning that the DPO must not have any current duties or responsibilities that are in conflict with their monitoring responsibilities. For example, a legal counsel who could represent the company in a legal proceeding would be considered to have a conflict of interest, and therefore would not be qualified to serve as the DPO. Companies that violate this requirement may be subject to fines up to EU$10 million or two percent of the company’s worldwide turnover, whichever is greater.
Best Practices for Hiring a DPO
Because companies that handle the data of EU citizens are subjected to GDPR even if they are not located in the EU, it is predicted that tens of thousands of DPOs are needed for all regulated organizations to achieve GDPR compliance.
The best DPOs will have expertise in data protection law and a complete understanding of their company’s IT infrastructure, technology, and technical and organizational structure. An existing employee may be designated as the DPO, or the DPO could be hired externally. Companies and organizations should look for candidates that can manage data protection and compliance internally while reporting non-compliance to the proper Supervisory Authorities. The right DPO will be both reliable and independent, with no prior commitments that would interfere with the monitoring responsibilities of the DPO role.
Ideally, a DPO should have excellent management skills and be able to interface easily with both internal staff at all levels and outside authorities. The right DPO will also ensure internal compliance and alert the authorities about instances of non-compliance, even if the company may be subjected to hefty fines.