EVER WONDERED WHO MANAGES AN ORGANIZATION’S COMPILATION TO THE PRINCIPLES AND POLICIES OF THE GDPR?.
A Data Protection Officer does that job and they in a manner play the role of both a teacher and a leader. Their job revolves around making the people in their organization aware of the GDPR principles and policies and making sure that the data privacy guidelines are complied with. A data controller or a data processor is mandated by the GDPR to appoint a DPO.
The GDPR mandates for a data controller or a data processor to appoint a DPO as per its Article 37. As per Article 37, companies can be exempted from appointing a DPO unless they engage in any of the three practises as mentioned below:
So, yes it is necessary for you to appoint a DPO in cases your organization processes data that falls under the purview of any of the three above mentioned practices. A DPO can be either a staff member or a contractor who has been appointed as a DPO as per the terms in the agreement and the DPO is allowed to fulfil other tasks and duties for as long as they don’t result in a conflict of interest.
Yes! A single DPO can be appointed by a group of undertakings or several public authorities and the information regarding such appointment should be shared with the supervisory authority.
Added to this the controller and the processor are not supposed to be instructing the DPO on how their job and tasks are to be carried out and neither can they penalise nor dismiss the DPO.
Further, the position and the tasks of a DPO are mentioned in Articles 38 and 39 respectively.
As mentioned above the tasks and roles of a DPO as mentioned under Article 39 of the GDPR, are not exhaustive, meaning they are not limited to those mentioned below;
It is also important to understand that the responsibility of compliance with the GDPR of the organization is not on the DPO but rather on the data collector and data processor who is also required to demonstrate the compliance set up in the organization.
Like any other job role, requirements from a DPO can vary depending on the needs and circumstances of the organization that is looking to appoint them, hence it is always preferred that the DPO appointed other than having the knowledge of the policies should also be aware of how that particular business operates. Added to this, there is no article of the GDPR that talks about or mentions any specific professional qualities that should be considered when a DPO is being appointed and since the role of a DPO is crucial in an organization since non-compliance to the policies could potentially lead to huge fines there is always pressure on organizations for choosing the right candidate.
Therefore, a basic necessity in appointing a DPO is that they should have a command if not expertise in international and European data protection laws and should have extensive knowledge of the GDPR. The most common requirements for a DPO are as given below:
A DPO should generally have strong management abilities and be able to communicate effectively with both internal and external stakeholders at all levels. Even if the company faces substantial fines, the competent DPO will enforce internal compliance and warn authorities about instances of non-compliance.
The DPO is a high-profile and high-responsibility position that will necessitate knowledge of national and European data protection laws and regulations, as well as a thorough understanding of the GDPR. Although the GDPR does not mandate the appointment of a DPO by every controller or processor, you should presume that you will need one until you can establish that you do not.
It would be vital to select the ideal candidate for your company, taking into account its size and industry. As a result, you’ll need to evaluate whether hiring a full-time DPO is the best approach to ensure your company complies with GDPR, or if part-time, shared, or an external consultant is a better alternative.