The adaptation of a company to the requirements established in the new GDPR can be a slow and tedious process. Among the novelties that the new regulation establishes, it also introduced the obligation to name a role that gives us a lot to talk about these days: Data Protection Officer or DPO. But what does this mean and why is it important to know?
A Data Protection Officer is a person, natural or legal person, responsible for ensuring the compliance with the law of data protection in the company. This role can be an in-house or external employee of the company and must have specialized knowledge of law and practice in the field of data protection, although it is not required to be certified.
The main functions of the DPO include:
- Inform and advise the controller and the employees who deal with the processing of the obligations they perform in accordance with the Regulation and other data protection provisions of the Union or Member States.
- Monitor the compliance with the provisions established in the Regulation, other data protection provisions of the Union or Member States and the policies of the controller or processor in the field of personal data, including the assignment of responsibilities, awareness and training of personnel that is involved in processing operations, and the corresponding audits.
- Offer the requested advice about the impact assessment regarding data protection and monitor its application.
- Cooperate with the control authority.
- Act as the contact point of the control authority for questions related to the processing.
Do all companies require a DPO?
Not necessarily, the appointment of a data protection officer will be mandatory when:
- The processing is performed by a public authority or body, except the courts that act in the exercise of their judicial function.
- The main activities of the controller or processor consist of processing operations, that due to their nature, scope and/or purposes require a regular and systematic observation of parties concerned on a large scale.
- The main activities of the controller or processor consist of the large-scale processing of special categories of personal data under article 9 and the data relating to criminal convictions and offences under Article 10.
- Among the entities that should appoint a data protection officer are the following:
- Distributors and providers of electric power or natural gas.
- Insurers and reinsurers.
- Organizations responsible for credit information systems.
- Organizations that develop advertising activities that involve analysis of preferences or profiling.
- Health centers.
- Educational institutions that offer regulated education.
- Professional associations and their general councils.
- Organizations dedicated to online gaming.
DPO must have ensured autonomy
The DPO must have sufficient autonomy and resources to perform his or her work effectively. Therefore, it is mandatory that the controller provides the DPO with all the necessary resources to perform his or her activity efficiently.
This also defines what should be the position of the DPO within the company. The regulation establishes that it is important that the data protection officer participates from the earliest possible stage in all questions related to data protection. In addition to this, it is important that the DPO is considered as a contact person within the organization and that he or she forms a part of the working groups that deal with data processing activities within the organization.
Important: DPO is not personally responsible in case of non-compliance with the GDPR
The GDPR makes it clear that whoever is obliged to ensure that the processing is performed correctly is the processor, and not the officer. The DPO is not responsible for the compliance with the rules on data protection, this is the responsibility of the processor. If the person responsible for compliance makes decisions that are incompatible with the GDPR and the DPO’s advice, the DPO must have the possibility to easily express his discrepancies to his or her superiors.
In short, the role of the DPO is definitely one of the main additions of the GDPR and it is important to ensure the compliance with the new European regulation.
In case you have any questions or doubts, feel free to contact us!