Who is the Data Protection Officer?
Every day companies collect terabytes of data about their customers, staff and other individuals for various reasons - which is why the European Union has introduced a set of reforms known as the General Data Protection Regulation (GDPR) that aim to protect personal information. Among these reforms is a requirement for companies to appoint a Data Protection Officer.
What is the Data Protection Officer?
Under Article 37, the Data Protection Officer is an individual who ensures that the data is being collected, processed and stored as per the GDPR requirements. The DPO is a data protection expert who performs his/her duties with complete independence.
Do you need a DPO?
To improve data protection for EU citizens, the European Union has made it mandatory for all organizations to appoint a Data Protection Officer that collect, process and store large amounts of data on “data subjects”. The “data subjects” can be employees of the organization, outside individuals or both.
What role does the DPO play?
The main role of the Data Protection Officer is to ensure compliance within the organization. Other responsibilities of the DPO include but are not limited to:
- informing and educating individuals within the organization about the data protection rules.
- ensuring compliance with policies of the data protection authority
- assigning responsibilities and training staff involved in data processing
- providing advice to the organization regarding the rules of data protection
- monitoring, analyzing and evaluating performance with a view to improve data protection
How is DPO different from other data officers?
Many organizations have chief data officers like the CIO and CISO who ensure that data is protected. The difference between the DPO and other such roles is that the DPO is much more independent in his/her working. The GDPR very clearly states in Article 39 that the DPO is there to ensure that data is being processed as per the rules of the data protection authority – the DPO cannot be asked to do anything other than that. He may be an employee of the organization but he works with the highest level of management.
Appointing a DPO
When appointing a DPO, the organization must keep in mind his/her understanding of the organization’s operations and infrastructure along with his/her qualifications. GDPR states that the DPO must have expert knowledge of data protection laws and practices. He/she should also be able to ensure compliance and also report non-compliance to the authorities. The appointed DPO can be an existing employee of the organization or one hired externally.