Data Protection Officer: meaning, characteristics and responsibilities
The General Data Protection Regulation (or GDPR) introduced in Europe the professional role of Data Protection Officer (DPO), the main person in charge to ensure that managing, processing and safeguarding personal data of third parties comply with the data protection rules.
Why is Data Protection Officer a key figure? The GDPR requires organisations to hire a qualified professional to manage third parties’ private information and supervise the general compliance with EU Regulation 2016/679, imposing penalties (4% of turnover) for companies without a DPO.
The designation of the Data Protection Officer is mandatory in the following cases:
- Administration, public and judicial authorities running their own functions;
- All subjects whose main activity consists in processing operations which require the regular monitoring of private data on a large scale;
- All subjects whose main activity consists in processing sensitive data regarding individuals’ health, judicial or biometric information on a large scale.
The Data Protection Officer, whose responsibilities to inform, control and cooperate are described in GDPR’s Art. 39, must have deep knowledge of the laws and practices related to data protection and carry out his duties independently without any conflicts of interest. Also, is key that the Data Protection Officer has access to all the available resources, personal data and data processing operations in carrying out his tasks.
Another important issue regards what makes a DPO necessary: it doesn’t refer to the size of the company, but to the size and scope of the data processing. The GDPR does not specifically define what is meant by “large-scale” data processing, however there are key factors to consider:
- The number of people affected, both as a specific number and in proportion of the population;
- The volume of data and the range of different kinds of data;
- The duration of the data processing activity;
- The geographical extent of the data processing
The guidelines also list some examples of large-scale personal data processing:
- the processing of patients data by hospitals;
- the processing of customers data by banks;
- the processing of personal data for advertising by search engines.
What are the main tasks and responsibilities of a Data Protection Officer?
As indicated in Art. 39 of the Regulation, here are the main tasks and responsibilities of a Data Protection Officer:
- Educate the whole organisation on data compliance requirements;
- Train personnel involved in data processing activity;
- Conduct audits to ensure compliance and address potential issues;
- Interact with the GDPR supervisory authorities;
- Monitor performances and impact of data protection activity;
- Save complete records of all data processing activities conducted by the company, including the purposes, which must be made public upon request;
- Deal with data subjects to inform them about how data is being used, rights about management of personal data and the measures taken to protect them.
What skills are required to fulfill the role of Data Protection Officer?
It’s essential for an organisation to hire a qualified DPO in compliance with GDPR. Although the EU Regulation 2016/679 doesn’t list specific skills, it highlights that the level of education and experience required to fulfill the role of Data Protection Officer must be high (at least or over 5 years) in order to correctly manage the complexity of the data processing operations, especially in very large scale.
Some of the skills to consider when hiring a Data Protection Officer are:
- Experience in studying and managing data privacy laws, according both to European and international standards, including drafting privacy policies, technology provisions and compliance activities;
- Experience in IT programming, including knowledge on information security;
- Experience in performing information systems audits and risk assessments;
- Ability to lead and manage multiple projects simultaneously;
- Ability to coordinate multiple activities while keeping one’s independence;
- Ability to deal with emerging laws and technologies;
- Last but not least, effective communication skills to easily relate with different interlocutors like the board of directors, the internal staff or the external authorities.
To avoid GDPR violations while aiming to raise production standards and the efficiency of the DPO’s work, could be helpful to adopt specific solutions to best perform the data privacy management tasks and fulfill all the requirements: check here Namirial’s GDPR solutions for professionals and companies.
