Once you know whether your organisation needs a Data Protection Officer (DPO), you then need to decide who can undertake the role. If you are not sure if you need a DPO, then read my blog post here to find out.
Companies often ask us who is the best person to be the DPO? This comes down to who can match the requirements set out in GDPR. Under GDPR you should appoint a DPO on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law. You might also want someone who has an understanding of the sector you work in.
Although GDPR doesn’t specify the qualifications a DPO is expected to have, it does say that they should have skills proportionate to the type of processing carried out. You’ll need to consider the level of protection that personal data requires. Where the processing is complex or risky, the DPO’s knowledge and experience should be of standard to provide effective oversight and support.
The role of the DPO is laid down in GDPR and includes:
- the ability to inform and advise the organisation and it employees of its data protection legislation obligations;
- to monitor compliance with data protection legislation and your policies and procedures;
- raise awareness of data protection issues;
- to train staff;
- to conduct internal audits. It would be an advantage for your DPO to also have a good knowledge of your industry or sector, as well as your data protection needs and processing activities;
- to advise on and monitor data protection impact assessments;
- to co-operate with the supervisory authority; and
- be the first point of contact for supervisory authorities and individuals whose data is being processed.
When carrying out their tasks the DPO is required to take into account the risk associated with the processing you are undertaking. They must have regard to the nature, scope, context and purposes of the processing.
You can see that the role is complex and requires a good knowledge of data protection legislation. If the organisation is international and working across many countries, they are going to need a knowledge of international data protection laws.
One final thing just to make this more complex, the DPO role must be independent of the purposes and means of processing personal information. So where it is asssigned to a current employee, there cannot be a conflict of interest between their DPO role and any other duties they undertake.