From 25 May the General Data Protection Regulation (GDPR) applies to all organisations that process EU residents’ personal data. As part of your compliance project, it’s important to understand the role of the data protection officer (DPO).
The DPO’s role
A DPO can help you address the GDPR’s compliance demands. Their appointment is mandatory for:
- Public authorities;
- Organisations that require “regular and systematic monitoring of data subjects on a large scale”;
- Organisations that process special categories of personal data on a large scale.
However, even where the GDPR does not specifically require the appointment of a DPO, it is highly encouraged as a matter of good practice and to demonstrate compliance.
The DPO can be an external or an internal employee, as long as there’s no conflict of interest between the DPO and other business activities, and they’re independent in the sense that they’re not instructed how to perform their duties. The DPO must also have expert knowledge of data protection law and practices, and report to the highest level of management.
The DPO’s responsibilities
- Educating the organisation and its employees about their compliance requirements.
- Training employees involved in data processing.
- Being the point of contact between the organisation and the Supervisory Authority (the Information Commissioner’s Office (ICO) in the UK).
- Advising on data protection impact assessments.
- Keeping comprehensive records of all data, including the purpose of all processing activities.
- Ensuring data subjects are informed about how their data is being used, their rights and the measures the organisation has taken to protect their personal information.
Find out more about the EU GDPR