The General Data Protection Regulation (GDPR) talks a lot about accountability and governance, requiring organisations to be more transparent about what it does with personal data.
“You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
“Information Commissioner’s Office”
This accountability and governance requires certain larger organisations to employ a Data Protection Officer (DPO) to oversee these practices.
Employing a DPO would obviously not be appropriate for all organisations. So the Information Commissioner‘s Office has boiled down the necessity for a DPO to the following categorisations.
While the above organisations are legally required to appoint a DPO, some businesses may want to voluntarily appoint one.
A DPO is considered to be an enterprise security role, leading the compliance of the GDPR of an organisation.
The DPO’s minimum tasks are defined in Article 39 of the GDPR:
‘To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.’
‘To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.’
‘To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).’
In addition to these tasks, the DPO must ensure that they are reporting at board level, or whatever the highest level of your organisation happens to be. In effect, they operate independently of the organisation as a whole, and as such, must have their employment protected. This means that they cannot be dismissed or penalised for simply doing the job of a DPO. In addition to this, the organisation must provide the data protection officer with all of the resources they need to meet the above responsibilities and duties.
While there are no formal qualifications to become a DPO, although we have documented some official training on the GDPR itself on our GDPR resources page, the right candidate would be required to have certain qualities and knowledge.
The DPO needs to have proven integrity and high professional ethics to be able to ensure an organisation is prepared for and then continues to practice GDPR.
A tailored hands-on session based on your needs and goals
100% of our users achieve ISO 27001 certification first time