Any company that collects and/or processes the personal data of EU residents needs to comply with the General Data Protection Regulation (GDPR). Policies and procedures must be developed and security controls must be in place to protect the confidentiality, integrity and availability of personal data. It is the main duty of the appointed Data Protection Officer (DPO) to oversee GDPR compliance of a company.
Are all companies required to appoint a Data Protection Officer?
GDPR’s Article 37 explains this requirement. In general, large companies with over 250 employees need to have a DPO. Small companies with less than 250 employees may or may not need a DPO depending on these factors: volume of personal data processed; processing of special category data; and the nature of the business.
A company must appoint a DPO if the following conditions are met:
- Data processing is performed by a public authority or body
- The core activities of the data controller or processor is to regularly and systematically monitor data subjects on a large scale
- The core activities of the data controller or processor is the large scale processing of special category data
If the company does not appoint a DPO, it must be documented why a DPO is not seen to be necessary.
Who can be appointed as DPO?
There are no specific qualifications required of a DPO. Any member of staff in an organization can be appointed as DPO. A group of companies can have just one DPO as long as the DPO is very accessible. Below are some of the important points to consider when choosing a DPO:
- The individual must have data protection experience and know GDPR requirements very well
- The individual must not have conflict of interest with his/her other duties in the company
- The DPO must report to the highest management level at the data controller or processor
- The DPO must be allowed to operate in secrecy
- The DPO must be given sufficient resources to perform his/her role effectively
What are the roles of a DPO?
GDPR Article 30 details the five important roles of a DPO.
- To inform and advise the data controller or processor and the employees directly involved in personal data processing regarding their duty under GDPR
- To monitor GDPR compliance with respect to personal data protection and train employees to know their responsibilities in processing operations
- To provide guidance and monitoring on data protection impact assessments
- To cooperate with the supervising authority
- To serve as the point of contact in the company that the supervising authority will refer to