What is a GDPR Data Protection Officer and who needs to appoint one?
The role of the GDPR data protection officer, including specific duties and which companies must appoint a DPO.
GDPR legislation says that Data Protection Officers (DPO) must be appointed by some companies. This refers to public authorities and companies that process large amounts of data.
Most organisations that regularly handle, analyse, collect and process user data will need to appoint a DPO. The position is the main point of focus for all of the organisation’s GDPR activities.
Due to the high level of responsibility for data protection and GDPR, the appointed DPO must have a high level of expert knowledge on the legislation, practices and GDPR compliance.
Here’s how the GDPR defines a Data Protection Officer, including what they do, their legal obligations, the post’s specific responsibilities and the skills they need. DPOs ensure that organisations comply with GDPR and don’t risk a breach of their responsibilities that could lead to heavy financial penalties (€20 million or 4% of the organisation’s global revenue – whichever is highest).
GDPR Article 38 outlines the DPO position. It says:
“The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.”
The DPO is uniquely protected from internal interference from the organisation. The same article says that other employees legally can’t give the DPO any instructions about their actions.
The position is also bound by strict confidentiality and reports directly to the highest level of management. This article along with GDPR Article 39 outlines the major tasks of the DPO role. They are:
While every company regardless of its size should have a person handling personal data and GDPR compliance, the regulations state that a DPO must be appointed only if you meet the following criteria:
The European Commission has published Guidelines on Data Protection Officers, which gives more information on terms used in the GDPR, such as ‘large scale’ and ‘main activity’ or ‘core activity’.
If a company is conducting large scale user data processing but is itself smaller, it’s possible to share a DPO with other smaller organisations. On the other side, if a company is too large for one position of DPO, they may need to also appoint support staff for this post. Both of these scenarios are legally allowed under the GDPR.