Data Protection Officer (DPO)

A Data Protection Officer (DPO) is an independent professional tasked with overseeing a company's data protection strategy and ensuring compliance with data privacy laws.

Since the arrival of the General Data Protection Regulation (GDPR), appointing a DPO has become mandatory for many organizations worldwide and a best practice in general.

This article will explore the role of a DPO, when and why you should appoint one, their key tasks and responsibilities, and how to select and appoint a suitable DPO for your business.

What is a Data Protection Officer (DPO)?

A Data Protection Officer (DPO) is a data privacy and security expert who supervises the execution of a company's data protection policies.

DPOs essentially help businesses develop GDPR-compliant data protection practices. However, they also monitor compliance with other privacy laws, making them essential personnel for any organization.

Once appointed, the DPO becomes your company's foremost authority on data privacy and security matters. They provide insights on all activities that involve collecting, using, or sharing personal data.

Note: The GDPR defines personal data as any information that can be used to identify a natural person, such as names, home/email addresses, phone numbers, financial details, web trackers, etc.

For instance, suppose a company wants to use cookies on its website/app. In this case, the DPO's responsibility is to ensure that the Cookie Policy and practices align with applicable privacy laws.

By implementing appropriate data protection measures, a DPO ultimately helps a company build trust with its customers, develop a positive reputation, and avoid costly legal consequences.

Now, let's examine when you are required to appoint a DPO under the GDPR.

When Must You Appoint a Data Protection Officer (DPO)?

Under Article 37, the GDPR identifies three factors that determine whether an applicable business must appoint a DPO.

But first, you need to find out if your business is subject to the GDPR. For more information on this, check out our article: Do I Need to Comply with the GDPR?

It's important to note that even when not legally required, appointing a DPO is considered a general best practice and is highly recommended by several authorities, including the European Data Protection Board (EDPB) and the French Data Protection Authority (CNIL).

What's more, having a DPO shows clients, partners, and stakeholders that your business takes data protection seriously and is committed to upholding high standards.

That said, consider the following questions to find out if your business must appoint a DPO under the GDPR.

Are you a public authority?

In short, you must appoint a DPO if your company can be classified as a public authority.

Although the GDPR doesn't clarify what a "public authority" means, we can deduce from various regulatory guidance that public authorities may include but aren't limited to the following:

• Governmental organizations
• Legislative bodies
• Law enforcement agencies (e.g., police forces)
• Higher education institutions
• Publicly-owned companies

Notably, the GDPR excludes courts acting in their judicial capacity from this category.

Do you monitor data subjects on a large scale?

The GDPR requires you to appoint a DPO if your core activities involve data processing operations that require "regular and systematic monitoring of data subjects on a large scale."

Let's unpack this.

First, "data subjects" refer to EU residents whose data you collect or process to facilitate your business operations.

On the other hand, systematic monitoring includes all forms of tracking and profiling of individuals, both online and offline. Typical examples include behavioral advertising, location tracking, CCTV surveillance, etc.

These activities have the potential to threaten user privacy if carried out frequently and on a large scale, hence the need to appoint a DPO.

Do you process special categories of data or data relating to criminal convictions and offenses on a large scale?

Under the GDPR, special categories of data require stricter protections as they are more sensitive than standard personal information. They include data relating to the following:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data
• Health data
• Sexual orientation

If your business processes any of these data types on a large scale, you must appoint a DPO. You'll also need a DPO if you process substantial volumes of data relating to criminal convictions and offenses.

In sum, if you answered yes to any of the questions above, you are legally obligated to appoint a DPO.

Keep in mind that failing to do so may expose you to lawsuits and fines of up to €10 million, or 2% of your company's annual global turnover.

Internal vs External Hire Data Protection Officer (DPO)

There are no restrictions on whether a DPO must be hired in-house as an employee or retained as an outside consultant.

There are advantages and disadvantages to each approach:

• In-house DPOs may have easier access to your company's resources.

  This is important when you consider that the DPO not only has a wide range of responsibilities but also specific rights.

  The DPO needs authority to use company resources to fulfill their duties and update their training and knowledge.

  Privacy laws can change quickly and you need to empower the DPO to stay informed.

  Your DPO also requires access to IT and security professionals to assess the quality of their performance.

  DPOs also stay in contact with managers who can effect changes if they become necessary. Many companies find maintaining a DPO in-house makes this communication scheme work much better.

  However, the DPO position also requires independence as well as discretion. That can be difficult to manage in some work environments.

• Outside consultants offer this independence in addition to well-developed expertise.

  There's a third option.

• Some companies err on the side of overkill and hire both an external and internal DPO.

  The internal DPO is available for day-to-day security considerations and that allows any problems to get addressed quickly.

  However, an external DPO can audit processes in a truly independent manner and offer expertise that may not be within the knowledge base of your internal officer.

  This is likely to enhance your compliance with the law and help you avoid penalties.

  In Germany, this approach is encouraged as it has proven to allow for maximum data protection.

Responsibilities of a Data Protection Officer (DPO)

Under Article 39, the GDPR outlines the primary tasks a DPO undertakes in an organization.

Remember: The DPO supervises all activities involving the processing of personal data, which may go beyond the tasks specified in the GDPR. This is fine as long as there are no conflicts of interest with any additional task.

Having established that, a DPO's main responsibilities are as follows:

Monitoring compliance with data privacy laws

The DPO monitors your company's compliance with data privacy laws (particularly the GDPR) and ensures that all data protection systems are up-to-date.

From assigning duties and performing internal audits to educating employees and promoting a data privacy culture, the DPO is at the forefront of your company's data protection operations.

Providing relevant information and advice

As a subject matter expert, the DPO advises and supports various departments within your company, making sure that data protection is integrated into all processes.

The DPO also leverages extensive knowledge of data protection to answer any questions or concerns you or your staff may have about compliance with the GDPR and other privacy laws.

Finally, the DPO provides recommendations for improving your company's general data privacy practices.

Providing insights on Data Protection Impact Assessments (DPIAs)

A Data Protection Impact Assessment (DPIA) identifies potential privacy risks associated with specific data processing activities and recommends solutions to mitigate them.

Thanks to a deep understanding of data privacy, the DPO is in the best position to provide insights on DPIAs, and the GDPR echoes this sentiment.

Cooperating with Data Protection Authorities (DPAs)

The DPO serves as your company's primary contact point for Data Protection Authorities (DPAs), customers, and other stakeholders on data privacy matters.

DPOs collaborate with data protection authorities by responding to requests for information, granting access to records, and cooperating with investigations.

Other key responsibilities of a DPO

In addition to the GDPR-prescribed duties outlined above, a DPO also performs (or weighs in on) the following privacy-related operations:

• Assisting in the exercising of individual privacy rights
• Setting up robust data security systems
• Managing data breaches
• Maintaining comprehensive records of data processing activities
• Staying updated on changes within the privacy landscape and adapting accordingly

How to Select a Data Protection Officer (DPO)

Before selecting an appropriate DPO for your company, you need to understand what qualities to look for. And while the GDPR doesn't provide a specific list of credentials, it does offer some guidelines in Recital 97.

Below are the essential qualities to look out for when choosing a DPO for your company.

Expert knowledge of data protection laws

A DPO should have an in-depth understanding of applicable data protection laws, particularly the GDPR. They should also have experience applying these laws in practice and be able to advise your company on best practices.

Importantly, your DPO's level of expertise must be proportionate to your data processing activities. In other words, the more complex or high-risk your data processing activities are, the more advanced your DPO's knowledge must be.

Independence and absence of conflict of interest

The ability to work independently is critical for a DPO. Accordingly, the DPO must only report to the highest level of management and cannot be punished for performing their responsibilities.

In addition, DPOs mustn't have a conflict of interest that interferes with their responsibilities.

Communication skills

A DPO must have excellent communication skills to properly explain data privacy issues and offer useful counsel to a company.

You need someone who can simplify complex privacy concepts for people at all levels, from technical staff to executives and relevant authorities.

Technical expertise

Your DPO must be acquainted with the technical aspects of data privacy, such as cyber security, information technology, and data security systems.

For instance, the DPO should know how to relate with IT and other departments for a Data Subject Access Request (DSAR).

This knowledge allows a DPO to assess the effectiveness of your company's existing security measures and contribute meaningfully to its improvement. It also allows them to weigh in on technical privacy issues such as data breaches, DPIAs, international data transfers, etc.

How to Appoint a Data Protection Officer (DPO)

When it comes to appointing a DPO for your company, there are a few important things to keep in mind:

1. The GDPR allows you to either appoint a DPO internally within your company or outsource this role externally by hiring an expert consultant. In any case, the DPO's position, tasks, and responsibilities remain the same.
2. You cannot appoint more than one DPO for your company. However, this doesn't prevent you from designating other data privacy professionals to support your DPO.
3. You can appoint a single DPO to serve multiple companies or public authorities as long as doing so doesn't affect performance.
4. You must provide the DPO with the resources needed to perform their duties, including access to all relevant information, support from other staff, essential training, etc.

Once you've ironed out all the necessary details, you'll need to nominate your DPO and document the appointment through an official DPO appointment letter.

This letter must contain the following details:

• Your company's name
• The name of your appointed DPO
• The name of the DPO's reporting manager
• A summary of the DPO's responsibilities
• A notice about the DPO's independence
• Signatures from the DPO, relevant representatives, and your company's managing director

For more information, check out our article: GDPR Appointment of Data Protection Officer Letter.

Finally, you must ensure that your DPO's name and contact details are publicly available to your staff, consumers, and relevant authorities. This information is typically displayed within a Privacy Policy.

Here's how Oracle displays its DPO's information in its Privacy Policy:

Summary

A DPO is a data privacy specialist designated to help your company comply with the GDPR and other applicable privacy laws.

Under the GDPR, you must appoint a DPO if any of the following applies:

• You're a public authority
• Your core activities involve data processing operations that require regular and systematic monitoring of data subjects on a large scale
• Your core activities involve processing a considerable amount of special categories of data or data concerning criminal convictions or offenses

The DPO performs numerous privacy-related functions, including but not limited to monitoring compliance, advising management, monitoring DPIAs, training staff, and cooperating with data protection authorities.

To be effective, a DPO must possess certain qualities and competencies to handle privacy-related issues. This includes the following:

• An extensive understanding of privacy laws and the ability to navigate complex data protection issues
• Excellent communication skills
• Independence
• No conflict of interest
• Technical proficiency and knowledge of data security systems

When appointing a DPO for your company, you'll need to observe certain guidelines and draft an official DPO appointment letter that contains relevant details as identified above.

Finally, remember to make your DPO's name and contact information public by including it in your Privacy Policy.