After the GDPR came into force many companies designated or are planning to designate the Data Protection Officer (DPO). Please see the most popular FAQs asked by the businesses about the DPO together with answers below.
1. Who is the DPO?
The DPO is an expert responsible for monitoring the processing of personal data and compliance with data protection laws throughout an organization. In other words, it is the person to whom you can delegate various data protection matters (e.g., respond to the requests of data subjects and supervisory authorities, evaluate the necessity to perform a data protection impact assessment after starting using new software and etc.) while concentrating on your business growth.
2. What are the main tasks of the DPO?
The main tasks of the DPO are listed below:
to inform companies and employees processing personal data about their obligations under the GDPR and other legal acts and advise them on these issues, as well as organize data protection training;
to ensure the compliance of company documents and processes with GDPR;
to provide advice on the data protection impact assessment and monitor its performance;
to cooperate with the supervisory authority and act as the contact person for the supervisory authority on issues relating to data processing.
3. When it is mandatory to designate the DPO?
The DPO must be designated if at least one of the following conditions is present:
the processing of personal data is carried out by a public authority or body (except for courts and other judicial institutions), i.e., any government or other public administration, including public advisory bodies, at the national, regional or local level, performing public administrative functions under national law, including specific duties, activities or services. It should be noted that a public task may be carried out by other natural or legal persons in sectors such as public transport, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions.
the core activities of the business consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale (e.g., companies providing targeted advertising, website analytics and direct marketing services, insurance companies, loan providers, private security companies carrying out the surveillance and etc.)
the core activities of the business consist of the processing special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation) or personal data relating to criminal convictions and offences.
Unless it is obvious that an organisation is not required to designate a DPO, it is highly recommended to carry out the internal analysis to determine whether or not a DPO has to be appointed, as this analysis is part of the documentation under the accountability principle under the GDPR.
It should be noted that a company could designate a DPO on a voluntary basis, which would undoubtedly help to ensure compliance with the GDPR and improve the company’s reputation among its customers and partners.
4. What are the professional qualities that the DPO should have?
The DPO shall be designated based on professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil his or her tasks.
The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support.
Relevant skills and expertise include:
expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
understanding of the processing operations carried out;
understanding of information technologies and data security;
knowledge of the business sector and the organization;
ability to promote a data protection culture within the organization.
5. Is it better to designate the internal or the external DPO?
In practice, there are two main options for DPO designation – internal and external DPO.
When it comes to the internal DPO, the company’s employee is usually designated as the DPO. In this scenario it is very important to bear in mind that DPO must act in an independent manner, meaning that he or she is not bound by the instructions of the employer regarding the exercise of the DPO’s tasks as well as could not be dismissed or get a penalty for their performance. Nevertheless, the organization’s internal DPO should be able to report data protection issues directly to the highest management level of the company, which might be difficult to implement in practice, as employees usually can report only to their direct manager.
What is more, the tasks and duties of a DPO must not result in a conflict of interest. As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of the marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of data processing.
As a result, it is recommended to designate the function of the DPO to an external service provider, when one person or a whole team is providing services for the particular company and effectively carrying out the DPO tasks. Fondia Lithuania data protection experts provide such a service. You can read more about Data Protection Officer as a service (DPOaaS) here.