Isn’t having customers’ trust a cornerstone to good business?
Isn’t that intangible relationship with customers: loyalty, trust, repeat customers, something most companies want?
Accountability is at the centre of all this.Elizabeth Denham, Information Commissioner
In the first in a series of linked articles about Data Protection Officers (DPOs) under the General Data Protection Regulation (GDPR), we take a detailed look at who exactly the Data Protection Officer is from the history of how the DPO evolved into a legally appointed position, essential information on fulfilling the role of a DPO, and a comparison with other data focussed senior executives within the organisation.
The GDPR represents the most significant overhaul in 25 years of privacy and data protection law. With its extraterritorial scope, the GDPR covers every organisation no matter whether they are a company, charity, or government body providing they have dealings with EU-based consumers.
Affected organisations are required to conduct a detailed review of their internal data protection policies and procedures to bring them in line with the GDPR. This includes supply-chain contracts, along with implementing robust mechanisms for data breach detection and reporting. An essential element of these preparations includes identifying if they are required to appoint a DPO.
The primary role of the data protection officer (DPO) is to ensure their organisation processes personal data of staff, customers, providers or any other individuals (referred to as data subjects) in compliance with the applicable data protection rules.European Data Protection Supervisor
Key facts about Data Protection Officers
- A role defined within the legislation, the DPO is the appointed person responsible for monitoring compliance with the GDPR. Applies to Public (mandatory) and commercial organisations who handle data on EU citizens subject to criteria.
- The DPO must possess expert knowledge of data protection. They are required to advise on all aspects of data compliance across the organisation, including staff awareness and education initiatives.
- The GDPR does not define the qualifications of a DPO, leaving it to organisations themselves to select a person based on the specific requirements of the business. Organisations dealing with large volumes of highly sensitive data in an industry vulnerable to data breaches, i.e. airlines, banks, and government agencies, will likely require a higher calibre of DPO than a local widget-making factory.
- The DPO occupies a unique place in an organisation’s structure. The GDPR sets out that a DPO should report directly to the highest management level of the organisation. It also states that management should not provide any instructions regarding the exercise of those tasks, or dismiss the DPO for exercising their role.
- The DPO is integral to an organisation’s efforts to monitor and measure compliance, through Data Protection Impact Assessments (DPIAs), data audits, and to oversee the implementation of compliance tools and reporting mechanisms.
- The DPO must be funded and resourced appropriately. This includes having any or all the necessary team, premises, facilities and equipment required to deliver their obligations.
- The position of DPO is challenging, as it requires an ability to objectively examine the impact of data processing decisions on data subjects, whilst not allowing their judgment to be clouded by the objectives of the organisation.
- The position of DPO can be outsourced, and be full time or part-time, depending on the size of the organisation. Large companies, especially those that operate in multiple jurisdictions, may have to recruit a team; smaller organisations may outsource the role or fulfil on a part-time basis.
- A DPO has a responsibility to fully co-operate with the Information Commissioner’s Office (ICO), the supervisory authority (SA) charged with overseeing the GDPR in the UK.
- Finally, DPOs help organisations to demonstrate their accountability. They communicate a message of openness, strengthening relationships and building trust between customers, service users, employees and the organisation.