Everything you need to know about DPOs under the GDPR

We recently claimed that DPOs (data protection officers) are “the key to data breach response”, but you could argue that they are the key to GDPR (General Data Protection Regulation) compliance in general.

DPOs occupy a unique position in the data protection landscape, acting as a point of contact between staff and management, as well as between an organisation and its supervisory authority. As a result, they are involved in every part of an organisation’s data protection framework.

It’s therefore essential that you understand the requirements of a DPO, what a DPO does and how you can get the most out of one.

What is a DPO?

A DPO is an independent data protection expert who is responsible for advising an organisation on how to comply with its regulatory requirements.

What are a DPO’s responsibilities?

A DPO’s tasks include:

  • Advising staff on their data protection responsibilities;
  • Monitoring the organisation’s data protection policies and procedures;
  • Advising management on whether DPIAs (data protection impact assessments) are necessary;
  • Serving as the point of contact between the organisation and its supervisory authority; and
  • Serving as a point of contact for individuals on privacy matters.

A full list of the DPO’s responsibilities are outlined in Article 39 of the GDPR.

Are you required to appoint a DPO?

An organisation is required to appoint a DPO if it:

  • Is a public authority or body;
  • Regularly and systematically monitors data subjects; or
  • Processes special categories of data on a large scale.

If your organisation doesn’t fall into one of these categories, you could still benefit from having a DPO. In fact, most experts agree that all organisations should appoint someone to take on the DPO’s tasks, even if they aren’t required to under the GDPR.

What professional experience and qualifications should a DPO have?

DPOs must have a strong understanding of data protection law and regulatory requirements. They also need good communication skills, as they’ll be working with an organisation’s staff and management, as well as with its supervisory authority.

There are no mandatory qualifications to become a DPO, but training courses such as our Certified DPO Masterclass are highly beneficial for those who want guidance on how to perform the necessary tasks.

Those who have completed our Certified EU GDPR Practitioner Training Course will have already covered the basics of the masterclass and can learn the rest in our Certified DPO Upgrade Training Course.

Can we assign one of our employees as a DPO?

Yes. The position can be filled internally or externally on either a full-time or part-time basis.

Be careful when appointing internally, though – particularly if the employee is maintaining their existing position. The GDPR stipulates that a DPO must work independently and without instruction from their employer, as well as being free from any conflicts of interest.

An employer should not provide guidance on how to investigate complaints, what results should be achieved or how to interpret data protection law.

Similarly, DPOs can’t have competing objectives, where business objectives could be prioritised over data protection.

There are circumstances in which an employee can take on the DPO’s responsibilities alongside their own without a conflict of interest, but we suggest avoiding the risk. Even if you are confident that there is no problem, job roles and responsibilities often evolve over time, and a conflict of interest might arise without you noticing.

Can we share a DPO with other organisations?

Yes. It’s an ideal alternative to assigning one of your own employees as DPO, allowing you to avoid the possibility of a conflict of interest while still not having to appoint a full-time, salaried DPO.

Any organisation interested in this option should consider our DPO as a service solution.

One of our data protection experts will act a remote DPO, working with you to understand your organisation’s requirements. They’ll complete the necessary tasks and provide you with guidance whenever you need it.

This service is provided via our sister company, GRCI Law, which specialises in data protection and privacy law.

Led by a management team of experienced DPOs (data protection officers), lawyers, barristers, and information and cyber security experts, GRCI Law provides support across a broad range of topics, including breach response, data privacy management and data subject access requests.

Need more GDPR help?

Those who are looking for more comprehensive advice on how to meet the GDPR’s requirements should take a look at our GDPR Manager.

The service, provided by Vigilant Software, contains modules to support four essential compliance tasks:

  • The Breach Report Module helps you keep a record of all breaches and incidents
  • The SAR Module simplifies the process of recording and responding to data subject access requests
  • The Gap Analysis module helps you identify where action is required to protect personal data
  • The Third Party Management Module ensures that you keep track of the processors and controllers that your organisation works with to process personal data.

Find out more >>