4. Data Protection Officer (DPO)
The DPO is the data protection expert within the organisation (or externally ) and forms the link with both the public and the organisation’s employees in relation to the processing of all personal data held. The GDPR makes it a requirement that organisations appoint a data protection officer (DPO) in some circumstances and not in others. The GDPR also contains provisions about the tasks a DPO should carry out and the duties of the employer in respect of the DPO.
The GDPR states what a DPO’s role is:
“The DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
These tasks are:
- Informing and advising the controller or the processor and their employees of their data protection obligations.
- Monitoring compliance with the Regulation, including the assignment of responsibilities.
- Awareness-raising and training of staff involved.
- Providing advice where requested as regards the data protection impact assessments (DPIAs) and monitoring compliance and performance.
- Engaging with the Data Protection Commissioner’s Office or relevant Supervisory Authority.
GDPR also stipulates that the DPO reports directly to top level management and must be given all resources necessary to carry out their functions.
Even if you decide you don’t need to appoint a DPO, your organisation must ensure that it has sufficient staff and skills to discharge its obligations under the GDPR. It may be that you need an employee to be your DPO or you may not; it may be that the appointment of an external person to be your DPO, is the way to go. We can assist you with all this, helping you to decide what your organisation requires and also to help you to fulfil those requirements.