The Role of the Data Protection Officer (DPO)Salvus Team
The EU General Data Protection Regulation (GDPR) has entered into force in May 2018 and requires some institutions to appoint a Data Protection Officer (DPO). The mandatory obligation to appoint a DPO forms a key part of the strengthened accountability obligations found in the GDPR and stretches the importance of implementing an effective and compliant data protection framework.
The mandatory designation, the particular expertise and skills required and the duties of the DPO are three areas we will briefly explain in order to start a series of articles related to GDPR.
Data controllers and processors must designate a DPO in cases where:
- The core activities of controllers and processors involve operations that require processing of regular and systematic monitoring of data subjects on a large scale,
- The processing is implemented by a public body or authority except for courts acting in their judicial capacity,
- The core activities of controllers and processors involve processing on large scale of personal or special categories of data related to criminal convictions and offenses.
Expertise and Skills
Designation of DPO should be concentrated on the professional qualities and in particular on the expert knowledge of data collection law and policies. The ability to fulfill the DPO tasks should involve advance professional ethics, integrity and efficient fostering compliance with the GDPR.
The DPO must ensure that both data subjects and controllers are well informed about their data protection rights, responsibilities and obligations and raise awareness about them. The DPO should draw the organisation’s attention to any failure to comply with the applicable data protection rules.
The duties of DPO comprise overseeing internal compliance with the GDPR through:
- The collection of data to identify processing activities,
- Verifying the compliance of processing activities,
- The provision of information, advice and recommendations.
To fulfill the main duties, a DPO should provide assistance and advice to the controller in carrying out the data protection impact assessments (DPIA), suggest the most appropriate risk-based approach, mitigate controls and ensure that assessments were carried out accurately and in compliance with GDPR. Furthermore, internal records have to be maintained so that DPO can provide information and recommendations and act as a point of contact between the institution and supervisory authorities.
The role of the DPO has become tremendously significant mainly for data protection compliance and risk management. The introduction of the DPO obligation falling under the GDPR regulation is expected to raise its significance even more.
The information provided in this article is for general information purposes only. You should always seek for professional advice suitable to your needs.