GDPR Article 39 outlines the minimum set of duties that a DPO must carry out in order to be considered effective, including their obligations towards the law and their interaction with governing authorities.
Tasks of the Data Protection Officer
- The data protection officer shall have at least the following tasks:
- (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- (d) to cooperate with the supervisory authority;
- (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
- The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Tasks of the data protection officer
- The data protection officer shall have at least the following tasks:
- (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other domestic law relating to data protection;
- (b) to monitor compliance with this Regulation, with other domestic law relating to data protection and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- (d) to cooperate with the the Commissioner;
- (e) to act as the contact point for the Commissioner on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
- The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
DPOs should not only inform and advise organisations on processing activities, but also monitor compliance with any prevailing legislation.
An organisation’s designated DPO also has a central role to play whenever the need arises to carry out a the Data Protection Impact Assessment (DPIA).
It’s important to note that whilst the role of a DPO is tightly bound by confidentiality principles, they are still able to seek guidance and advice from regulatory and legal authorities.
In this section we talk about GDPR Articles 39 (1)(a), 39 (1)(b), 39 (1)(c), 39 (1)(d), 39 (1)(e), 39 (2)
DPOs should be skilled enough to carry out privacy-related tasks, and should be offered continual support in order to maintain an acceptable level of competency.
ISO acknowledges that each organisation is unique in the way that they process information. The above areas of responsibility should be accompanied by site and facility-specific guidelines that take into account real world factors affecting an organisations PII-processing operation.
Organisations should nominate an individual that customers (and external authorities) can use as a dedicated point of contact for all PII-related matters (see ISO 27701 7.3.2), namely a DPO.
In addition, organisations should delegate responsibility to one or more individuals for building an organisational privacy governance program that bolsters adherence to localised and national PII laws and regulations.
As a general approach, organisations should implement periodic training programs (including during the onboarding phase) that align specifically with their own general and topic-specific privacy protections policies, and PIMS-related requirements.
Training formats can include:
Staff with a specialised role to play in privacy protection – e.g. ICT maintenance staff – should benefit from specialised training plans that takes into account the integral role they play in safeguarding PII.
Training plans/sessions should conclude with an assessment that provides the organisation with a top-down view of competency levels on an employee-by-employee basis.
To complement workplace training, organisations should also roll-out privacy protection awareness programs that provide staff with a range of materials that act as information points on the topic of PII and organisational privacy protection.
Awareness programs may include:
Awareness efforts should be focused on:
PII should be treated as its own distinct topic within privacy protection training programmes.
Staff need to be made acutely aware of the specific legal, commercial, reputational and disciplinary consequences that result from the misappropriation and/or mishandling of PII.
GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
---|---|---|
EU GDPR Articles 39 (1)(a) to 39 (2) | ISO 27701 6.3.1.1 | ISO 27701 7.3.2 |
EU GDPR Article 39 (1)(b) | ISO 27701 6.4.2.2 | None |
Support wider business decisions. By having all your data in one place, designed for collaboration, you will be better equipped to make the right decisions.
Stay ahead of change. Risks are not static, so your tools need to be able to adapt. Effortlessly address threats and opportunities using an integrated and dynamic tool which simplifies identification, evaluation, and treatment of risk on a continual basis.
Find out more by scheduling a demo.