The data protection officer (DPO) role under the GDPR
A DPO has formal responsibility for data protection compliance within an organisation.
The appointment of a DPO under the EU General Data Protection Regulation (GDPR) is only mandatory in three situations: when the organisation is a public authority or body, or when the organisation’s core activities consist of either:
1. Data processing operations that require regular and systematic monitoring of data subjects on a large scale; or
2. Large-scale processing of special categories of data (i.e. sensitive data such as health, religion, race, sexual orientation, etc.) and personal data relating to criminal convictions and offences.
There is no exemption for small and medium-sized enterprises (SMEs), which has been reaffirmed by the Information Commissioner’s Office (ICO):
"I've heard plenty of people talking about there being a DPO exemption for SMEs - this is absolutely not the case."
Peter Brown, Senior Technology Officer, Information Commissioner's Office (ICO)
There is also scope with the Regulation for each EU country to specify other circumstances in which a DPO needs to be appointed. Data protection laws in Germany, for example, require every business with ten or more employees that permanently process personal data to appoint a DPO.
Even where the GDPR does not specifically require the appointment of a DPO, it is highly encouraged by the European Article 29 Working Party (WP29) as a matter of good practice and to demonstrate compliance. It is important to note that an organisation that appoints a DPO voluntarily must still comply with the full range of DPO requirements in the GDPR.
The DPO’s tasks
The GDPR is explicit about the tasks that DPOs are required to perform. They include the following:
Inform and advise the organisation and its employees of their data protection obligations under the GDPR.
Monitor the organisation’s compliance with the GDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits.
Advise on the necessity of data protection impact assessments (DPIAs), the manner of their implementation and outcomes.
Serve as the contact point to the data protection authorities for all data protection issues, including data breach reporting.
Serve as the contact point for individuals (data subjects) on privacy matters, including subject access requests.
The GDPR does not specify the precise credentials a DPO is expected to have. However, in its recent published guidelines the WP29 defines certain minimum requirements regarding the DPO’s expertise and skills:
Level of expertise – understanding how to build, implement and manage data protection programmes is essential. The more complex or high-risk the data processing activities are, the greater the expertise the DPO will need.
Professional qualities – DPOs do not have to be lawyers, but they must have expertise in national and European data protection law, including an in-depth knowledge of the GDPR. DPOs must also have a reasonable understanding of the organisation’s technical and organisational structure and be familiar with information technologies and data security.
In the case of a public authority or body, the DPO should have a sound knowledge of its administrative rules and procedures.
The GDPR requires that the DPO operates independently and without instruction from their employer over the way they carry out their tasks. This includes instructing the DPO on “what result should be achieved, how to investigate a complaint or whether to consult the regulatory authority”. Nor can organisations tell their DPO how to interpret data protection law.
Although the GDPR allows DPOs to “fulfil other tasks and duties”, organisations are obliged to ensure that there is no “conflict of interests” between those activities and the formal duties prescribed under the Regulation. Most senior positions within an organisation are likely to conflict with the DPO’s duties (e.g. chief executive, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR or head of IT).
The DPO cannot be dismissed or penalised for performing their tasks, and organisations must ensure that the DPO reports directly to “the highest management level” in the organisation.
The task of the DPO to monitor the organisation's compliance with the GDPR does not make the DPO individually liable for non-compliance by the organisation. The WP29 states that organisations are free to ignore the advice of DPOs as they remain “responsible for compliance”, but when doing so must document in writing the reasons for not following the advice.
Fines for non-compliance
Failure to comply with the DPO requirements set out in the GDPR may result in administrative fines of up to €10 million or up to 2% of worldwide annual turnover – whichever is greater.
The DPO may be employed (internal DPO) or act under a service contract (external DPO). In both cases, a DPO must be given the necessary resources to fulfil the relevant job functions
Businesses should assess whether they are obliged to appoint a DPO under the new Regulation, and consider the requirements that DPOs act independently and without conflict when performing their formal tasks.
The GDPR allows organisations to choose whether to appoint an internal or external DPO. Whatever the decision, IT Governance can help your organisation fulfil the DPO role.
Certified GDPR training
Our ISO 17024-certificated GDPR Foundation and Practitioner training courses offer a structured learning path to equip data protection and information security professionals, as well as individuals who lack data protection expertise and experience, with the specialist knowledge and skills needed to deliver GDPR compliance and fulfil the DPO role.
Learn more about the GDPR training options >>
Outsourcing the DPO role
The GDPR allows organisations to outsource the DPO role to an external provider. With a shortage of individuals trained to handle DPO responsibilities, outsourcing these tasks and duties can help your organisation address the compliance demands of the GDPR while staying focused on your core business activities.
Learn more about DPO as a service >>
Speak to an expert
Please contact our expert team, who will be able to give advice and guidance about the compliance options.
Call: +44 (0)333 800 7000