Until now, the role of a data protection officer (DPO) had been largely undefined. Historically, data was considered primarily in the context of computing, and those given the role of a DPO were frequently professionals with an information and communications technology background. In fact, prior to the General Data Protection Regulation (GDPR), very few countries had required the appointment of a DPO or other data privacy role within an organization. Given the ubiquitous nature of technology today, the role and expectations of a DPO have diversified and expanded, especially in light of the GDPR.
The GDPR requires the appointment of a DPO if an entity: is a public authority; carries out large scale systematic monitoring of individuals; or carries out large scale processing of special categories of data or data relating to criminal convictions and offenses. The European Parliament, the Council of the European Union, and the European Commission have mandated this role to strengthen and streamline data protection for European Union residents. A DPO can be viewed as the authority on data privacy and data governance in a particular organization. As the first point of contact on data privacy-related matters, DPOs are responsible for overseeing data protection strategy and implementation to ensure company compliance.
What Are the Requirements of a DPO?
While the GDPR does not list specific credentials that a DPO must possess, Article 37 does require a DPO to have “expert knowledge of data protection law and practices.” It also specifies for this expertise to align with the organization’s data processing operations and the level of data protection required (based on the types of personal data and purposes for which such personal data is processed).
Some suggested qualifications include:
- Expertise in national and European data protection laws and practices, including in-depth understanding of the GDPR
- Understanding of the organization’s data processing operations
- Understanding of information technology and data security
- Knowledge of the organization’s business sector and position within the industry
- Ability to promote a data protection culture within the organization
The DPO need not be an attorney or be appointed in-house, and the GDPR clarifies that the role can be filled by a contractor. The DPO, as stated in Article 38(6), must also avoid conflicts of interest. Though the DPO can hold other roles within an organization, the roles including CEO, CFO, or heads of marketing, HR, or IT generally cannot concurrently serve as a DPO.
What Is the DPO’s Position Within an Organization?
A DPO is integral to an organization and should be given the independence, rights, and responsibilities to carry out this role.
In order to ensure that a DPO can act independently, a DPO should not receive any instructions on how to perform his or her duties. A DPO must be responsible for overseeing his or her own budget and should not report to a direct superior (other than the highest level of management). Furthermore, an organization must provide a DPO with the resources and the authority to investigate, such as providing immediate access to all personal data processing operations.
A DPO must ensure that the role as the DPO does not conflict with any other duties, if any. To avoid conflicts of interest, a DPO should not be a controller of processing activities, or an employee on a short/fixed term contract. An organization must also establish the minimum term of a DPO’s appointment, as well as strict conditions for dismissal. For instance, in the EU institutions and bodies, the DPO is appointed for two to five years, may be reappointed for up to a maximum of ten years, and can only be dismissed with the European Data Protection Supervisor’s consent.
What Are the DPO’s Responsibilities?
As stated in Article 39 of the GDPR, a DPO’s responsibilities include:
- Educating the company and employees on important compliance requirements
- Training staff involved in data processing
- Conducting audits to ensure compliance and address potential issues proactively
- Serving as the point of contact between the company and EU Supervisory Authorities
- Monitoring compliance with the GDPR and providing advice on data protection impact assessments (DPIAs)
- Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request
- Interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and the measures the company has put in place to protect their personal data
The International Association of Privacy Professionals (IAPP) predicts that 75,000 DPOs will be needed globally for regulated organizations to achieve GDPR compliance when the law goes into effect in May 2018. Indeed.com, a job search engine, has reported seeing a 700% increase for DPO job listings in Britain over the past 18 months. In data-rich industries, such as tech, finance and healthcare, a DPO is required to guarantee the utmost compliance and protections.
Because DPOs must be in place prior to the GDPR’s effective date, it is suggested that organizations begin appointing their DPOs as soon as possible in order to ensure the strongest consumer protection and the best company compliance.
In light of the GDPR and other privacy-related developments, we will ensure that serving ads to your app and mobile website end-users through the Smaato platform continues. We strive to provide ongoing GDPR and privacy suggestions and best practices that can enable the highest quality service, and we are committed to assisting our partners with their GDPR and privacy compliance efforts.
Disclaimer: The information on this webpage is for general information only and does not constitute legal advice. Please consult your own legal professionals if you seek advice on specific interpretations and requirements of the GDPR.