The idea of having a Data Protection Officer within a company or organisation is to offer a further measure of security and added protection of the data that is collected and held, the DPO effectively acts as an extra safeguard.
Having a DPO is not mandatory in most cases. The three particular, specific situations where a DPO must be appointed are:
- Where processing is undertaken by a public body - this excludes the court system operating in their official ambit.
- Where regular collection and systematic monitoring of data takes place in that it is, by nature, the core activity of a business or organisation.
- Where processing of special data or data relating to criminal convictions is a principal activity and is done on a large scale.
The DPO can be an individual, a third party or an employee (restrictions do apply in this case so that no conflict of interest arises - e.g. Senior Management in IT or HR should not also be the DPO). The person can be appointed by a group of entities as a single individual made available to all parties in involved. Equally, a DPO appointment can cover and act within multiple unrelated bodies or agencies. It is expected that the designated person will have expertise in data privacy law and practice and the capability to fulfil the tasks required by the company to become GDPR compliant.
The most important thing to understand about the DPO role is that it is a special role that carries specific obligations, for example:
to be involved in all issues that relate to protection of personal data;
to act independently;
be a contact point for data subjects for all issues concerning the subjects rights.
Alongside this the appointed DPO is afforded particular rights, among which are:
be supported by the Controller and Processor;
to not be penalised for performing his or her duties;
to have access to senior management.
The role of DPO will generally encompass the following:
to inform and advise on GDPR obligations;
to monitor the organisations compliance with GDPR;
to provide advice internally and to be involved in training;
to act as a point of contact for both data subjects and the Supervisory Authority.