There are many questions around why a Data Protection Officer (DPO) is needed and what their role is in an organisation. In this post, I’ll answer common questions that have been asked by organisations seeking to comply with the GDPR and DPA and from those looking to take on a DPO role.
What is the role of a DPO and is it new?
The term DPO is not unknown, but it was not widely used until the advent of the GDPR. It existed in the European Directive 95/46. With the GDPR, the appointment of a DPO has been made mandatory for three main categories of organisations and businesses:
(a) Public authorities and bodies, other than the courts
(b) Organisations whose core activities require regular and systematic monitoring of subjects on a large scale
(c) Organisations processing personal data of specific categories, such as genetics, biometrics, health data etc.
How would you describe the role of the DPO in an organisation?
For this role, there are various interpretations. Suggestions have been made that the DPO will be the “long hand” of the Data Protection Authority, or it’s “eyes and ears” within the organisation or an informal internal auditor who can carry out audits and communicate their findings to the Authority? There is a bit of truth in each as the primary role of the DPO is to ensure that their organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.
How important are the personal data of the subjects that are managed and processed by a business?
Firstly, the purpose of personal data protection isn’t to just protect a person’s data, but to protect the fundamental rights and freedoms of persons that are related to that data. Whilst protecting personal data it is possible to ensure that any persons’ rights and freedoms aren’t being violated.
There are whole business models based almost exclusively on the processing of personal data. When done properly, it leads to customer retention based on trust thereby increasing brand value.
What do you think is the biggest challenge for a DPO?
The DPO has the overall responsibility of orchestrating the compliance process, thereby embedding a new corporate culture of data protection awareness. By nature, people/corporations are resistant to change.
Can the consumer contact the DPO directly?
Any interested person may contact the DPO to get informed about the categories of personal data being processed, the purposes of the processing, and the potential recipients of the data and, in particular, their rights as derived from Regulation.
Do you have specific questions you’d like answered? Please feel free to reach out to one of our Data Protection experts.
You may also be interested in our webinar series that is available on-demand.
- 6 Things to do to Meet GDPR 3rd Country Requirements
- What Data Flow Mapping Looks Like and How to Start
- How to Conduct a Data Privacy Impact Assessment (DPIA)
- How to Implement Data Protection by Design & Default
- Data Protection: What Constitutes ‘Evidence of Compliance?’