What does DPO mean?
“DPO” means Data Protection Officer. A Data Protection Officer (DPO) is a data protection law expert whose primary functions are to inform an organisation about the GDPR compliance requirements, to advise on compliance with the GDPR, and to monitor an organisation’s GDPR compliance effort on an ongoing basis.
When an organisation collects and processes sensitive personal data such as health data or when it monitors the behaviour of individuals via tools such as tracking cookies, it exposes its customers, website visitors, and/or its employees to high risks to their privacy due to the nature of the processing activities.
Therefore, such an organisation should seek an expert’s advice on how to comply with the EU and the UK GDPR’s strict requirements and monitor its GDPR compliance at all times.
This is where the concept of a Data Protection Officer comes into the picture: The EU and the UK GDPR require organisations to appoint a Data Protection Officer if they fulfil certain criteria.
What is a Data Protection Officer (DPO)?
A Data Protection Officer can be defined as an independent data protection law expert who oversees an organisation’s compliance with the EU and the UK GDPR and enables an organisation to achieve compliance with the GDPR requirements.
However, we should note that the data controller and/or the data processor still remain liable to ensure compliance with the GDPR, and if they violate the provisions of the GDPR, they would still be the ones to suffer the consequences: The responsibility does not pass to a DPO.
While the concept of DPO was first introduced to the law in articles 37-39 of the GDPR, organisations had long been appointing DPOs across the EU before the GDPR.
Article 37 of the GDPR states that an organisation should involve its DPO in “all issues which relate to the protection of personal data” and enable the DPO to carry out the tasks listed in Article 39 of the GDPR.
Under Article 39 of the GDPR, the primary responsibility of the DPO is to advise organisations on their GDPR compliance obligations and to oversee its GDPR compliance efforts. For instance, a data controller may be subject to various GDPR obligations from the moment it collects personal data to the time when it permanently deletes personal data.
These obligations may include handling a data subject access request, signing data processing agreements with data processors, and compliance with data minimisation principles.
A DPO should inform a data controller/data processor of all its GDPR obligations and provide advice on how to comply.
In other words, a DPO acts as an “orchestra conductor” of the entire lifecycle of the personal data.
When Must an Organisation Appoint a Data Protection Officer?
Under the EU and the UK GDPR, you are required to appoint a DPO if you fulfill one of these three criteria:
- Your core activities require “large scale, regular and systematic monitoring of individuals”
As you can infer from this definition, three elements need to be satisfied.
Firstly, “core activities” refer to your primary business objectives and if you collect and use personal data to achieve your primary objectives, you may fulfil this criteria.
Secondly, your processing of personal data should consist of regular and systematic monitoring of individuals. This would include online tracking, profiling, and behavioural advertising
Thirdly, the monitoring of individuals should be conducted on a large scale. While there are no set thresholds, you need to consider various criteria such as the number of individuals concerned, the volume of personal data, and the range of personal data.
- Your core activities “consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.”
When you collect and use sensitive personal data such as health data or data related to racial or ethnic origin, it exposes individuals to higher risks. Therefore, if you process such data on a large scale, you are required to appoint a DPO.
- If you are a public authority or body.
If you are a public authority or body, you must appoint a DPO. However, public bodies acting in a judicial capacity are exempt.
Key Responsibilities of a Data Protection Officer
Article 39 of the GDPR lists the key responsibilities of a DPO, which are as follows:
- To inform and advise both the organisation and its employees about the GDPR and other data protection law requirements
A DPO is tasked with informing an organisation and its employees about the requirements of both the GDPR and other relevant data protection laws. For instance, the PECR would be another relevant data protection law in the UK.
In discharging this duty, a DPO may draft decisions to establish new processes or revise existing processes. For example, a DPO may advise that the organisation make changes to existing processing activities to ensure compliance with the GDPR’s data minimisation principles. Furthermore, drafting internal policies and rules related to data protection laws such as data retention policies would also fall under the scope of this task.
- To oversee the organisation’s compliance with the GDPR and other privacy laws
Under article 39.1.(b) of the GDPR, a DPO is required to monitor an organisation’s compliance with the GDPR and other data protection laws on a continuous basis.
To discharge this duty, a DPO may ask for information from different departments within the organisation to identify personal data processing activities and it may review the existing data processing activities’ compliance.
- Providing advice on data protection impact assessments(DPIAs)
Article 39.1. (c) of the GDPR requires that a DPO provides advice in relation to data protection impact assessments upon request in accordance with Article 35 of the GDPR.
In its Guidance on DPOs, the WP29 recommends that the DPO can provide advice on a variety of issues such as whether to conduct a DPIA, confirm whether a DPIA has been carried out in compliance with the GDPR and how to carry out a DPIA.
- Acting as the first point of contact for the Supervisory Authority and cooperating with the Supervisory Authority
A Supervisory Data Protection Authority such as the UK’s ICO can exercise various powers such as the investigative and corrective powers listed in article 58 of the GDPR.
For instance, a Supervisory Authority may start an investigation and ask for internal documents from an organisation.
Therefore, a DPO is tasked with being a point of contact for the Supervisory Authorities and enabling the Authority to gain access to the necessary documents and information.
- Acting as the first point of contact for individuals whose data are handled by the organisation
When an individual exercises the rights listed in article 13-23 of the GDPR such as the right of access or the right to deletion of their data, a DPO should act as the first point of contact and advise on how to handle data subject access requests.
What Qualifications and Skills Should a DPO Have?
Article 37(5) of the GDPR states that an organisation shall appoint a DPO “on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”.
Furthermore, the organisation should also consider a DOP’s capability to fulfill the key tasks of a DPO listed in Article 39 of the GDPR such as providing advice on data protection impact assessments.
As you may notice, the GDPR does not specify any particular qualifications for a DPO.
However, both the ICO’s and the EDPB’s Guidance on DPOs states that a DPO should have expert knowledge of both the EU GDPR and other data protection laws.
In terms of the level of expertise, the ICO’s Guidance on the DPOs states that the level of expertise of the DPO should be commensurate with the level of risks to the personal data and the types of processing activities.
The ICO also recommends that a DPO has knowledge of the specific sector your organisation operates.
Last but not least, strong communication and organisational skills are also critical to the key tasks of a DPO because a DPO must communicate with various stakeholders on an ongoing basis.
Ensuring the Independence of the Data Protection Officer
A DPO can carry out his/her duties successfully only if he/she is allowed to provide the most objective and accurate advice. Therefore, it is vital to ensure the independence and autonomy of the DPO.
Article 38(3) of the GDPR requires that an organisation cannot instruct a DPO to act in a certain way, or cannot fire or penalize a DPO for performing his/her tasks.
Furthermore, Recital 97 to the GDPR clarifies that even when an existing employee of an organization is appointed as a DPO, the DPO shall still act independently and autonomously when performing his/her tasks.
For example, an organisation cannot require that the DPO interpret the GDPR requirements in a particular way or it cannot give instructions on how to handle data subject requests or which data breaches to report to the supervisory authority.
Frequently Asked Questions about Data Protection Officers
Can a DPO hold other positions within the organisation?
Yes, article 38(6) of the GDPR states that a DPO can perform other functions within the organisation as long as there are no conflicts of interest.
What are the potential conflicts of interest for a DPO?
If another role requires the DPO to determine the purposes and the means of processing personal data, this would give rise to conflicts of interest.
How often should a DPO conduct data protection audits?
There are no specified intervals for carrying out a data protection audit. A DPO should take into account various criteria such as the volume of personal data processed, categories of data, and the organisational needs to determine how often to conduct audits.
What are the consequences of not appointing a DPO when required?
If you fail to appoint a DPO under the UK GDPR, you may face fines up to £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
Under the EU GDPR, you may face administrative fines of up to 10 million Euros, or up to 2 % of the total worldwide annual turnover of the preceding financial year.
Best Practices for Managing the Role of a DPO
Data protection law is a highly complicated and dynamic area of law where new developments occur almost every day.
Therefore, DPOs should follow certain best practices to stay up-to-date and to facilitate GDPR compliance.
Firstly, a DPO should receive regular training on data protection laws and educate themselves on the relevant data protection laws. For instance, they may sign up for courses or attend events and seminars organised by the supervisory authorities.
Secondly, DPOs should conduct audits on a regular basis to identify any non-compliant processes or practices so that they can advise organisations on how to bring their data processing activities into compliance.
Furthermore, DPOs should be transparent and honest when it comes to communication with data subjects and supervisory authorities.
The Essential Role of the DPO in Ensuring GDPR Compliance
GDPR is a legislation that applies to almost all types of personal data and it is relevant for all business units, from human resources to marketing and sales department.
By having a DPO who oversees GDPR compliance and advises on how to comply, organisations can facilitate their GDPR compliance efforts.
From carrying out data protection impact assessments to handling data access requests, there are highly complicated GDPR compliance requirements that demand a data protection law expert.
Therefore, a DPO can enable organisations to facilitate GDPR compliance and to navigate the complexities of data protection laws.
Further Reading and Resources on Data Protection Officers
WP29’s Guidelines on DPO:
https://ec.europa.eu/newsroom/just/document.cfm?doc_id=44100
GDPR Text and Recitals:
https://gdpr-info.eu/recitals/no-97/
The UK Data Protection Authority’s Guidance on DPOs:
French Data Protection Authority’s Guidance on the DPOs:
Frequently asked questions
We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools. There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.
Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!
We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.
Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.
A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.
We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.
Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.
Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.
Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.
Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.
Feel free to get in touch to discuss our GDPR Compliance Software solution.
Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!
Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.
You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.