The Roles and Responsibilities of a DPO (Data Protection Officer)

POSTED ON December 20, 2021 BY DATA SECURE

Related Blogs

The Data Protection Authorities & their responsibilities
How to conduct a data protection impact assessment
What is a Data Breach?

Introduction

The recently created position of the Data Protection Officer (DPO) for the corporates and enterprise is empowered to ensure that the organisation is compliant with all aspects of the new data protection regulations that is rapidly revolving globally. Organisations must appoint and designate a Data Protection Officer (DPO) for the organisation. This will be a significant appointment and will have long term benefits and advantages for the organisation.

roles and responsibilities

Before the adoption of the GDPR, the WP 29 argued that the DPO is a cornerstone of accountability and that appointing a DPO can facilitate compliance and furthermore, become a competitive advantage for business. In addition to facilitating compliance through the implementation of accountability tools (such as facilitating data protection impact assessment or DPIA and carrying out or facilitating audits) DPOs act as intermediaries between relevant stakeholders for example supervisory authorities, data subjects, and business units within an organization.

The specific definitions and building blocks of the data protection regime are enhanced by the EU GDPR (General Data Protection Regulation). And subsequently in UK DPA 2018 as well the provision for the same has been made in the India PDPB 2019. It means that the DPO is a very important and active person in ensuring that the organisations are in compliant to the latest regulations and laws that are rapidly evolving across the globe be it EU, CCPA and CPRA in USA, POPIA in South Africa, PIPL in China and India PDPB 2019.

A DPO is a very important cog in the wheel of any organisation for ensuring that the Privacy posturing is meeting the regulatory standards as set in the Data Protection regime and thus ensuring that the organisation is not levied any financial penalty for violation.

Role of a Data Protection Officer (DPO)

The role of a DPO can be multifarious and it can involve to be Regulatory, Company facing or individual facing since the DPO has to ensure that the privacy of the individual is protected and is processed as per the Regulatory or legal framework.

In many large organisations that collects and process large volume of personal data, there is a data protection office in which the DPO works. In such cases the DPO is independent but can have a team of privacy professionals working under him or her in order to address any issues that can arise related to the privacy of the data subjects.

Furthermore, a DPO can also report to the chief legal officer or the chief privacy officer of the organisation. However, it can vary from organisation to organisation since many organisations will have a different structure. The most important part as per the GDPR regulation is that he or she should be independent and reporting to the highest level of the management of the organisation.

In order the DPO to be successful, the organisations must provide full support to in order to ensure that the DPO is able to fulfil its designated role. Many a times the privacy issues are complex and cumbersome in terms of resolution and need to be resolved in record time frame so it is of high importance that the DPO must be a strong, influential individual who takes no “No” for an answer to make the organisation comply with the regulation.

The role of DPO is also to raise awareness about data protection, and to help create a culture of privacy and to establish a training cycle to train the people within the organisation on matters related to Privacy. It will help the organisation and its people to raise their privacy understanding to avoid day to day mistakes while addressing the privacy challenges.

For more information on DPO, regarding the role of a DPO, kindly check out the EDPBs Guidelines on Data Protection Officer, Working Party 29, (ARTICLE29 - Item (europa.eu) This document clarifies the definition of a DPO under GDPR and provides an excellent step by step approach.

Source : ARTICLE29 - Item (europa.eu)

The Data Protection Officer Network (DPON)

The Irish Data Protection Commission has established a Data Protection Officer Network, which allows DPOs to gather with other DPOs in similar sectors. The objective of the network is to facilitate support for its community and to share knowledge in the newly evolved role of DPO. Ideas and knowledge gathered through sharing are reported and discussed in the DPO community to further enhance the knowledge spectrum of the DPOs.

The establishment of DPON further helps in understanding the different interpretations of GDPR since the requirement of every sector while implementing GDPR can be varied.

DPOs that are part of the DPON gain crucial knowledge, confidence and characteristics that is required to implement the Privacy Controls as well as adherence to the GDPR.

Though DPON has helped immensely in providing a clarity of the role of DPOs, however the role of a DPO is not going to be consistent across the globe. The dynamically evolving Privacy regulations across the world is one of the leading challenges for the DPO. Additionally, multiple sectors where the application of GDPR will be different but the outcome will be to ensure the compliance, will also result non consistent role of a DPO.

The initiative by Irish DPC to create a DPON is an excellent step in the direction of bringing clarity and enhancing knowledge of the DPOs. Since it is a sector-based network be it small, medium or large enterprise, it is an effective way of ensuring that a uniformity can be brought to the role of a DPO.

Source : Homepage | Data Protection Commission

EU GDPR : Article 37, 38 and 39

As per EU GDPR, Article 37, 38 and 39, the designation, its position and tasks are well defined in order to ensure that the controllers and processors adhere to the regulation and ensure compliance and minimise risk of violation that can result in huge penalties.

  • Designation of the Data Protection Officer : GDPR Art 37
    1. The controller and the processor shall designate a data protection officer in any case where:The controller and the processor shall designate a data protection officer in any case where:
      1. The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
      2. The core activities of the controller or the processor consists of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale
      3. The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to Article 10.
    2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
    3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
    4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State Law shall, designate a data protection officer. The DPO may act for such associations and other bodies representing controllers or processors.
    5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
    6. The DPO may be a staff member of the controller or processor, fulfil the tasks on the basis of a service contract.
    7. The controller or the processor shall publish the contact details of the DPO and communicate them to supervisory authority.
  • Position of the DPO : GDPR Article 38

    • As per GDPR Article 38, the position of the DPO is very important in the organisation be it controller or a processor. As per this Article 38:

    1. The controller and the processor shall ensure that the DPO is involved properly and in a timely manner, in all issues which pertain to protection of personal data.
    2. The controller and processor shall support the DPO in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
    3. The controller and processor shall ensure that the DPO does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing the tasks.

      4. The DPO shall directly report to the highest management level of the controller or the processor.

    4. Data subjects may contact the DPO with regard to all issues related to processing of their personal data and to exercise of their rights under this Regulation.
    5. The DPO shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with the Union or Member State Law.
    6. The DPO may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
  • Tasks of the Data Protection Officer : GDPR Article 39

    • The GDPR Article 39 defines multiple tasks of a Data Protection Officer which are as:

    1. The Data Protection Officer shall have at least the following tasks:
      1. To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State Data Protection provisions.
      2. To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness raising and training of staff involved in processing operations and the related audits.
      3. To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35.
      4. To co-operate with the supervisory authority.
      5. To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
    2. The DPO shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purpose of processing.

Responsibilities of a DPO

As we have shared that the role of a DPO is critical for an organisation especially for those organisations that are collecting and processing large volume of personal data, we can define based on the GDPR Article 37, 38 and 39, the broad responsibilities of Data Protection Officer.

However, it should be noted that the below mentioned responsibilities are not caste in stone and will continue to evolve over a period of time due to the dynamic nature of ever evolving privacy regulations across the world.

  1. To monitor compliance with the Data Privacy/Data Protection Regulation, with other EU or local data protection provisions and with the data protection policies of the organisation. This will also include increasing the awareness and training of the staff members that are doing the processing activities.
  2. To ensure the various audits are completed in the requisite time-frame.
  3. To ensure that the data protection impact assessment (DPIA) is completed and to ensure that the DPIA is regularly done for the organisations.
  4. To ensure that the Records of processing activities (RoPA) is completed every time where the organisation is collecting and processing personal data.
  5. To inform and advise the organisation and the staff who process personal data about their obligations as per the GDPR or local data protection provisions.
  6. To co-operate with the supervisory authority or the Data Protection Authority (DPA) in case of any communication arising out of violation of EU regulations or local provisions.
  7. To act as the organisation’s point of contact on issues related to the processing of personal data.
  8. To ensure timely response to individuals whose data is processed (employees, clients, or any other data subject) on all issues related to the processing of their personal data and exercise of their rights as enshrined in the Regulation.

However, the responsibilities of a DPO will continue to evolve and there will be added responsibilities due to the rise in global privacy regulations across the world.

Conclusion

As it becomes evident from the above GDPR Articles 37, 38 and 39, the Data Protection Officer (DPO) is a mandatory role for all those organisations that process the personal information or data of the data subjects in EU. The GDPR has called for a mandatory appointment of a DPO at every organisation that processes or stores personal data of European citizens. GDPR clearly mentions that a DPO must be appointed :

  1. For all kinds of organisations where the core activities of the controller or processor involve large scale processing of special categories of personal data such as race, ethnicity or religious beliefs.
  2. For all public authorities, and where the core activities of the controller or processor involve regular and systematic monitoring of data subjects on a large scale.

Understanding the importance and functions of a Data Protection Officer for ensuring compliance , various data privacy regulations across the world have come with similar mandatory appointment of a DPO e.g. UK DPA 2018 and even India PDPB 2019.

Source : General Data Protection Regulation(GDPR) – DPO India (dpo-india.com)

Source : UK Data Protection Act 2018 – DPO India (dpo-india.com)

Source : India’s Draft Personal Data Protection Bill 2019 GOVTBILL_English_373_2019 10.12.2019 – DPO India (dpo-india.com)

We at Data Secure (www.datasecure.ind.in) can help you to understand Privacy and Trust while dealing with personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.

We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe.

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at dpo@dpo-india.com or info@datasecure.ind.in

For downloading various Global Privacy Laws kindly visit the Resources page in DATA SECURE - Privacy Automation Solution

Related Blogs

The Data Protection Authorities & their responsibilities
How to conduct a data protection impact assessment
What is a Data Breach?