.png)
Ali Talip Pınarbası
When an organisation collects and processes sensitive personal data such as health data or when it monitors the behavior of individuals via tools such as tracking cookies, it exposes its customers, website visitors, and/or its employees to high risks to their privacy due to the nature of the processing activities.
Therefore, such an organization should seek an expert’s advice on how to comply with the EU and the UK GDPR’s strict requirements and monitor its GDPR compliance at all times.
This is where the concept of a Data Protection Officer comes into the picture: The EU and the UK GDPR require organizations to appoint a Data Protection Officer if they fulfil certain criteria.
A Data Protection Officer(“DPO”) is a data protection law expert whose primary functions are to inform an organization about the GDPR compliance requirements, to advise on compliance with the GDPR, and to monitor an organization’s GDPR compliance effort on an ongoing basis.
A DPO can play a critical role in an organization’s GDPR compliance efforts by helping the organization identify high-risk data processing activities and by providing advice on how to achieve compliance with the EU and the UK GDPR.
In this article, we will help you understand if you need to appoint a DPO, what responsibilities a DPO is tasked with, and what qualifications a DPO should have.
What is a Data Protection Officer (DPO)?
A Data Protection Officer can be defined as an independent data protection law expert who oversees an organization’s compliance with the EU and the UK GDPR and enables an organization to achieve compliance with the GDPR requirements.
However, we should note that the data controller and/or the data processor still remain liable to ensure compliance with the GDPR, and if they violate the provisions of the GDPR, they would still be the ones to suffer the consequences: The responsibility does not pass to a DPO.
While the concept of DPO was first introduced to the law in articles 37-39 of the GDPR, organizations had long been appointing DPOs across the EU before the GDPR.
Article 37 of the GDPR states that an organization should involve its DPO in “all issues which relate to the protection of personal data” and enable the DPO to carry out the tasks listed in Article 39 of the GDPR.
Under Article 39 of the GDPR, the primary responsibility of the DPO is to advise organizations on their GDPR compliance obligations and to oversee its GDPR compliance efforts. For instance, a data controller may be subject to various GDPR obligations from the moment it collects personal data to the time when it permanently deletes personal data.
These obligations may include handling data subject requests, signing data processing agreements with data processors, and compliance with data minimization principles.
A DPO should inform a data controller/data processor of all its GDPR obligations and provide advice on how to comply.
In other words, a DPO acts as an “orchestra conductor” of the entire lifecycle of the personal data.
When Must an Organisation Appoint a Data Protection Officer?
Under the EU and the UK GDPR, you are required to appoint a DPO if you fulfill one of these three criteria:
- Your core activities require “large scale, regular and systematic monitoring of individuals”
As you can infer from this definition, three elements need to be satisfied.
Firstly, “core activities” refer to your primary business objectives and if you collect and use personal data to achieve your primary objectives, you may fulfill this criteria.
Secondly, your processing of personal data should consist of regular and systematic monitoring of individuals. This would include online tracking, profiling, and behavioral advertising
Thirdly, the monitoring of individuals should be conducted on a large scale. While there are no set thresholds, you need to consider various criteria such as the number of individuals concerned, the volume of personal data, and the range of personal data.
- Your core activities “consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.”
When you collect and use sensitive personal data such as health data or data related to racial or ethnic origin, it exposes individuals to higher risks. Therefore, if you process such data on a large scale, you are required to appoint a DPO.
- If you are a public authority or body.
If you are a public authority or body, you must appoint a DPO. However, public bodies acting in a judicial capacity are exempt.
Key Responsibilities of a Data Protection Officer
Article 39 of the GDPR lists the key responsibilities of a DPO, which are as follows:
- To inform and advise both the organization and its employees about the GDPR and other data protection law requirements
A DPO is tasked with informing an organization and its employees about the requirements of both the GDPR and other relevant data protection laws. For instance, the PECR would be another relevant data protection law in the UK.
In discharging this duty, a DPO may draft decisions to establish new processes or revise existing processes. For example, a DPO may advise that the organization make changes to existing processing activities to ensure compliance with the GDPR’s data minimization principles. Furthermore, drafting internal policies and rules related to data protection laws such as data retention policies would also fall under the scope of this task.
- To oversee the organization’s compliance with the GDPR and other privacy laws
Under article 39.1.(b) of the GDPR, a DPO is required to monitor an organization’s compliance with the GDPR and other data protection laws on a continuous basis.
To discharge this duty, a DPO may ask for information from different departments within the organization to identify personal data processing activities and it may review the existing data processing activities’ compliance.
- Providing advice on data protection impact assessments(DPIAs)
Article 39.1. (c) of the GDPR requires that a DPO provides advice in relation to data protection impact assessments upon request in accordance with Article 35 of the GDPR.
In its Guidance on DPOs, the WP29 recommends that the DPO can provide advice on a variety of issues such as whether to conduct a DPIA, confirm whether a DPIA has been carried out in compliance with the GDPR and how to carry out a DPIA.
- Acting as the first point of contact for the Supervisory Authority and cooperating with the Supervisory Authority
A Supervisory Data Protection Authority such as the UK’s ICO can exercise various powers such as the investigative and corrective powers listed in article 58 of the GDPR.
For instance, a Supervisory Authority may start an investigation and ask for internal documents from an organization.
Therefore, a DPO is tasked with being a point of contact for the Supervisory Authorities and enabling the Authority to gain access to the necessary documents and information.
- Acting as the first point of contact for individuals whose data are handled by the organization
When an individual exercises the rights listed in article 13-23 of the GDPR such as the right of access or the right to deletion of their data, a DPO should act as the first point of contact and advise on how to handle data subject requests.
What Qualifications and Skills Should a DPO Have?
Article 37(5) of the GDPR states that an organization shall appoint a DPO “on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”.
Furthermore, the organization should also consider a DOP’s capability to fulfill the key tasks of a DPO listed in Article 39 of the GDPR such as providing advice on data protection impact assessments.
As you may notice, the GDPR does not specify any particular qualifications for a DPO.
However, both the ICO’s and the EDPB’s Guidance on DPOs states that a DPO should have expert knowledge of both the EU GDPR and other data protection laws.
In terms of the level of expertise, the ICO’s Guidance on the DPOs states that the level of expertise of the DPO should be commensurate with the level of risks to the personal data and the types of processing activities.
The ICO also recommends that a DPO has knowledge of the specific sector your organization operates.
Last but not least, strong communication and organizational skills are also critical to the key tasks of a DPO because a DPO must communicate with various stakeholders on an ongoing basis.
Ensuring the Independence of the Data Protection Officer
A DPO can carry out his/her duties successfully only if he/she is allowed to provide the most objective and accurate advice. Therefore, it is vital to ensure the independence and autonomy of the DPO.
Article 38(3) of the GDPR requires that an organization cannot instruct a DPO to act in a certain way, or cannot fire or penalize a DPO for performing his/her tasks.
Furthermore, Recital 97 to the GDPR clarifies that even when an existing employee of an organization is appointed as a DPO, the DPO shall still act independently and autonomously when performing his/her tasks.
For example, an organization cannot require that the DPO interpret the GDPR requirements in a particular way or it cannot give instructions on how to handle data subject requests or which data breaches to report to the supervisory authority.
Frequently Asked Questions about Data Protection Officers
Can a DPO hold other positions within the organization?
Yes, article 38(6) of the GDPR states that a DPO can perform other functions within the organization as long as there are no conflicts of interest.
What are the potential conflicts of interest for a DPO?
If another role requires the DPO to determine the purposes and the means of processing personal data, this would give rise to conflicts of interest.
How often should a DPO conduct data protection audits?
There are no specified intervals for carrying out a data protection audit. A DPO should take into account various criteria such as the volume of personal data processed, categories of data, and the organizational needs to determine how often to conduct audits.
What are the consequences of not appointing a DPO when required?
If you fail to appoint a DPO under the UK GDPR, you may face fines up to £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
Under the EU GDPR, you may face administrative fines of up to 10 million Euros, or up to 2 % of the total worldwide annual turnover of the preceding financial year.
Best Practices for Managing the Role of a DPO
Data protection law is a highly complicated and dynamic area of law where new developments occur almost every day.
Therefore, DPOs should follow certain best practices to stay up-to-date and to facilitate GDPR compliance.
Firstly, a DPO should receive regular training on data protection laws and educate themselves on the relevant data protection laws. For instance, they may sign up for courses or attend events and seminars organized by the supervisory authorities.
Secondly, DPOs should conduct audits on a regular basis to identify any non-compliant processes or practices so that they can advise organizations on how to bring their data processing activities into compliance.
Furthermore, DPOs should be transparent and honest when it comes to communication with data subjects and supervisory authorities.
The Essential Role of the DPO in Ensuring GDPR Compliance
GDPR is a legislation that applies to almost all types of personal data and it is relevant for all business units, from human resources to marketing and sales department.
By having a DPO who oversees GDPR compliance and advises on how to comply, organizations can facilitate their GDPR compliance efforts.
From carrying out data protection impact assessments to handling data access requests, there are highly complicated GDPR compliance requirements that demand a data protection law expert.
Therefore, a DPO can enable organizations to facilitate GDPR compliance and to navigate the complexities of data protection laws.
Further Reading and Resources on Data Protection Officers
WP29’s Guidelines on DPO:
https://ec.europa.eu/newsroom/just/document.cfm?doc_id=44100
GDPR Text and Recitals:
https://gdpr-info.eu/recitals/no-97/
The UK Data Protection Authority’s Guidance on DPOs:
French Data Protection Authority’s Guidance on the DPOs:
.png)
.png)
.png)
.png)
%20-%20what%20is%20it%2C%20explained..png)
FAQ
Frequently asked questions
Do I need to connect all my tools and third parties?
We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools. There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.
What is the scope of my privacy policy?
Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!
Do I need to replace my current policy for the privacy portal?
We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.
Do I need help filling out my details?
Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.
Why can’t I just use a template and add it to my website myself?
A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.
What if you don’t have the tools and third parties that I have?
We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.
Which plan should I choose?
Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.
Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.
Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.
Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.
Feel free to get in touch to discuss our GDPR Compliance Software solution.
How easy is it to set up?
Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!
What size companies is Privasee aimed at?
Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.
I already have a privacy policy, do I need Privasee?
You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.