If you’re reading this, you’re probably preparing for the GDPR. Have you been wondering what is a DPO exactly? In this article, we cover exactly what the role of the Data Protection Officer is, as outlined in the Regulation, and help answer a key question: does your company really need one?
Control where your data is and how it’s stored, shared and accessed
What Is a DPO?
From May 25th, the role of DPO or Data Protection Officer is going to be crucial in the regulation of personal data across the world. It will be the DPO that will police the GDPR compliance in organisations, large and small, in every sector and in every entity that handles the personal data of EU citizens and residents.
It’s also a role that will help organisations avoid millions of euros in fines, resist data breaches and steer clear of costly and brand damning litigation. And it’s such an important role that it’s written into law.
Article 37(5) of the General Data Protection Regulation reads:
‘The DPO…shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39’.
- Informing and advising the controller or the processor and their employees of their data protection obligations.
- Monitoring compliance with the Regulation, including the assignment of responsibilities.
- Awareness-raising and training of staff involved.
- Providing advice where requested as regards the data protection impact assessments (DPIAs) and monitoring compliance and performance.
- Engaging with the Information Commissioner’s Office or relevant Supervisory Authority.
Recommended reading: Is your business ready for GDPR?Avoid millions of Euros in fines, resist data breaches and steer clear of costly and brand damning litigation Click To Tweet
The Regulation also stipulates that DPOs report directly to top-level management and that they must be given all resources necessary to carry out their functions. These functions include dealing with the public and regulators.
The DPO must ensure that individuals or data subjects have an easy way to ask questions about their information and answers on how it is protected, stored, used, retained and deleted – in a portable format, under Subject Access Requests and right to be forgotten regulations.
And in the event of breaches, the DPO takes the lead in liaising with the regulator and the data subjects affected by the breach.
The DPO is an important role but how do you know if your company needs one?
There are four specified criteria under GDPR for requiring a DPO:
- If you are a public sector body then you need a Data Protection Officer.
- If you are a private sector body that does business on behalf or with a public sector body, then you need a DPO.
- If you process large amounts of personal data then you need a DPO.
- If you are a small organisation, but you process large amounts of personal data, then you need a DPO.
This includes all organisations – business, political, educational, charitable, sporting, public sector – once they handle personal data of EU citizens and EU residents, irrespective of where the company is located or head quartered.
Recommended reading: GDPR is coming and it will be profound
When don’t you need a DPO?
The GDPR does not require an organisation to appoint a DPO if its main activities do not involve dealing with personal data.
However, it should keep records of its data management and decision making processes around data.
GDPR does not require an organisation to appoint a DPO if its main activities do not involve dealing with personal data Click To Tweet
If you need to be GDPR compliant, your organisation will need access to DPO services
There is flexibility to find the best ‘DPO’ fit for your organisation – taking into account its size, the sector you are in and cost. As such, you will need to decide if appointing a full-time DPO is the best way to ensure your organisation complies.
Or you can look at other options – part-time, shared or an external consultant.
DPO options for SME’s
Smaller organisations may find that DPO responsibilities are a challenge to deliver, given the breadth of knowledge required to manage IT systems and the familiarity needed with the legal aspects of the GDPR.
It is therefore possible to ‘share’ a DPO by working with other organisations – provided that the DPO is easily accessible and there are no conflicts of interest.
Another option is to engage an external consultant, qualified to do the role as and when required.
Or small to medium size enterprises can assign a dual role and appoint an existing executive as DPO, as long as the dual roles don’t conflict.
These solutions are particularly suited to SMEs which may not have the budget or the need for a full-time DPO.
Rinodrive has been built to help Data Protection Officers meet GDPR requirements. At Rinodrive security and privacy are a highest priority. We understand that the confidentiality of data and protocols are critical. All of your data is stored in highly secure data centres managed by dozens of compliance programs and audit safeguards. Try Rinodrive and discover for yourself that there’s an affordable and easily implemented solution.
Ready to give Rinodrive a go? Signing up for a free trial is just
Have you identified that your company needs a DPO? Tell us your thoughts in the comments below.
Join our conversation ‘all about data’ on Twitter and LinkedIn. And keep up with what’s going on in the world of data by trusting us with your email for monthly mailings (and we store it on Rinodrive so it’s super safe).