Data Protection Officers are a fundamental component of any organisations broader cyber security operation.
GDPR Article 37 emphasises the importance of the role, and offers guidance on how a DPO should be appointed, the core activities of the role, and how such appointments are communicated.
Designation of the Data Protection Officer
- The controller and the processor shall designate a data protection officer in any case where:
- (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
- A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
- Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
- In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.
- The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
- The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
- The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
Designation of the Data Protection Officer
- The controller and the processor shall designate a data protection officer in any case where:
- (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
- A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
- Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
- In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.
- The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
- The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
- The controller or the processor shall publish the contact details of the data protection officer and communicate them to the Commissioner.
GDPR Article 37 outlines 7 key areas that organisations need to take into consideration when appointing and managing the activities of a Data Protection Officer:
In this section we talk about GDPR Articles 37 (1)(a), 37 (1)(b), 37 (1)(c), 37 (2), 37 (3), 37 (4), 37 (5), 37 (6), 37(7)
Organisations should define roles and responsibilities that are specific to individual functions contained within their privacy protection policy – both their general policy and topic-specific policies.
Individuals with specific responsibilities should be skilled enough to carry out privacy-related tasks, and should be offered continual support that maintains an acceptable level of competency.
Areas of responsibility should include:
ISO acknowledges that each organisation is unique in the way that they process information. The above areas of responsibility should be accompanied by site and facility-specific guidelines that take into account real world factors affecting an organisations PII-processing operation.
All of the above responsibilities and security areas should be clearly documented and made available to all relevant staff members.
Organisations should nominate an individual that customers (and external authorities) can use as a dedicated point of contact for all PII-related matters (see ISO 27701 Clause 7.3.2).
In addition, organisations should delegate responsibility to one or more individuals for building an organisational privacy governance program that bolsters adherence to localised and national PII laws and regulations.
| GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
|---|---|---|
| EU GDPR Articles 37 (1)(a) to 37 (7) | ISO 27701 6.3.1.1 | ISO 27701 7.3.2 |
Your complete GDPR solution.
Our pre-built environment fits seamlessly into your management system and enables you to describe and demonstrate your approach to protecting your European and UK customer data.
With ISMS.online, you can easily demonstrate a level of privacy protection that goes beyond ‘reasonable’, all in one secure, always-on location.
Find out more by booking a demo.
Request a quote
