What is a GDPR Data Protection Officer and who needs to appoint one?

The role of the GDPR data protection officer, including specific duties and which companies must appoint a DPO.

Data Protection Officer

GDPR legislation says that Data Protection Officers (DPO) must be appointed by some companies. This refers to public authorities and companies that process large amounts of data.

What is a GDPR Data Protection Officer?

Most organisations that regularly handle, analyse, collect and process user data will need to appoint a DPO. The position is the main point of focus for all of the organisation’s GDPR activities.

Due to the high level of responsibility for data protection and GDPR, the appointed DPO must have a high level of expert knowledge on the legislation, practices and GDPR compliance.

Here’s how the GDPR defines a Data Protection Officer, including what they do, their legal obligations, the post’s specific responsibilities and the skills they need. DPOs ensure that organisations comply with GDPR and don’t risk a breach of their responsibilities that could lead to heavy financial penalties (€20 million or 4% of the organisation’s global revenue – whichever is highest).

What does the role of GDPR Data Protection Officer entail?

GDPR Article 38 outlines the DPO position. It says:

“The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.”

The DPO is uniquely protected from internal interference from the organisation. The same article says that other employees legally can’t give the DPO any instructions about their actions.

The position is also bound by strict confidentiality and reports directly to the highest level of management. This article along with GDPR Article 39 outlines the major tasks of the DPO role. They are:

  1. To deal with questions and comments from data subjects about their personal data, GDPR and how their data is being processed.
  2. To tell the organisation and employee of their legal GDPR obligations along with any other relevant data protection provisions relevant to their specific EU member state.
  3. To continually track and monitor GDPR compliance for the organisation, implement training for employees about compliance and perform GDPR audits.
  4. To implement and perform data protection impact assessments.
  5. To fully cooperate and communicate with the data protection supervisory authority. For example, in the UK this is the ICO.
  6. To be the focal point for the authority on any matters relating to GDPR, personal data and any other appropriate matters.

Which companies need a Data Protection Officer?

While every company regardless of its size should have a person handling personal data and GDPR compliance, the regulations state that a DPO must be appointed only if you meet the following criteria:

  1. Public authority – where the data processing is carried out by public authorities, exempting courts and independent judicial authorities.
  2. Companies that handle large scale data regularly – where the processing of user data is the main activity and looks at data subjects on a large scale.
  3. Companies that handle large scale special data categories – where processing of special data as defined by GDPR [link to appropriate page here] happens regularly at a large scale.

The European Commission has published Guidelines on Data Protection Officers, which gives more information on terms used in the GDPR, such as ‘large scale’ and ‘main activity’ or ‘core activity’.

If a company is conducting large scale user data processing but is itself smaller, it’s possible to share a DPO with other smaller organisations. On the other side, if a company is too large for one position of DPO, they may need to also appoint support staff for this post. Both of these scenarios are legally allowed under the GDPR.