According to the EU’s General Data Protection Regulation, companies are obliged to appoint a data protection officer (DPO), who makes sure that the company remains complaint and advises on the company’s obligations regarding data privacy. Their role is to ensure that the organization processes the personal data of its employees, customers, providers and any other individuals in compliance with the applicable data protection laws.
The DPO’s appointment will be required for companies whose core activities consist of processing operations which require regular and systematic monitoring of data on a large scale or of special categories of data or data relating to criminal convictions and offences.
Expertise and tasks
The DPO should have a specific set of professional knowledge and personal skills. Among them are experience in national and European law; understanding of the processes and operations of the company, ability to promote data protection culture within the organization, etc. Of great importance for the DPO is also a solid IT knowledge.
DPO’s major task to ensure company’s compliance to the applicable data protection regulation could be divided in a few sub-tasks:
- To guide all employees on being compliant with GDPR and other data protection laws by informing them about their protection rights, obligations and responsibilities;
- To monitor compliance with GDPR and other data protection laws
- to promote data protection culture within the organization, train staff and conduct internal audits;
- to be the first point of contact for supervisory authorities and individuals, who need information on how their data is being processed.
To train or to hire
Each company decides for itself weather to assign the roll of the DPO to an existing employee or to contract it out. The company can appoint an existing employee as a DPO if their professional duties are compatible with the duties of DPO.
The organization can also hire externally its DPO based on a service contract with an individual or an organization. This way the company could benefit from the specific expertise of the external company and it doesn’t have to invest in trainings for its employees.
If you are interested in exploring more about the possibility to hire an external DPO or need any other consultancy regarding GDPR contact us! Disclaimer: We can give you an one hour free consultancy!
Source: EU GDPR; EDPS