Under the EU General Data Protection Regulation (GPDR), many organisations must appoint a data protection officer (DPO). The requirement covers public authorities and companies that carry out either large-scale systematic monitoring of individuals or large-scale processing of special categories of data.
According to our GDPR Report, nearly 40% of organisations have already appointed a DPO to oversee their compliance project. This indicates that many organisations that aren’t required to appoint a DPO are opting to anyway.
This trend supports guidance from the Article 29 Working Party (WP29), which recommends that all organisations should appoint a DPO as a matter of good practice.
Our report surveyed 250 of our clients, and is intended to provide practitioners and senior management with insights into how organisations are progressing with GDPR compliance.
What does the DPO do?
As we touched upon during last week’s post on organisations’ difficulty in finding qualified staff, the DPO is responsible for a wide variety of tasks, meaning that it can be a hard position to fill.
The DPO should educate the company and employees on important compliance requirements, train staff who are involved in data processing, conduct audits and serve as a point of contact between the company and its supervisory authority. They are also required to report to the highest management level (i.e. board level) and the board should provide them with adequate resources to meet their obligations.
A comprehensive overview of the DPO’s tasks are outlined in Article 39 of the Regulation.
The role of the DPO can be filled by an existing employee, provided they have an expert knowledge of data protection law and that their professional duties are compatible with those of the DPO.
The DPO position can also be contracted out externally.
Who are filling these roles?
The majority of our respondents (56.9%) said they have designated, or will designate, an in-house employee to fulfil the DPO role. Only 2.3% said they are planning to outsource the role, and 3.7% said they will appoint a new employee. The rest either don’t plan to appoint one or don’t know how the role will be filled.
If you’re interested in becoming a DPO, you should start by gaining a GDPR qualification. Our Certified EU General Data Protection Regulation (GDPR) Practitioner Training Course provides you with that, and helps you gain the practical knowledge required for the DPO role. It covers data mapping, data protection impact assessments, the role of data processors and controllers, data breach reporting requirements, how to demonstrate compliance and much more.
The course supports professional development. Those who pass the exam are awarded an ISO 17024-accredited EU GDPR Practitioner qualification, which proves that they have the knowledge and skills to help organisations achieve compliance with the GDPR.