On 14th of April 2016, the EU adopted the General Data Protection Regulation GDPR, replacing the1995 Data Protection Directive. The new regulation came into force on the 25th of May 2018, giving companies a two-year grace period to fully comply. Among the numerous critical requirements, the need for appointing a Data Protection Officer (DPO) has been one of the key factors.
The role of the DPO
DPO shall be appointed if any of the requirements are met by an organisation, a public entity in EU or involved in regular or systematic monitoring of data subjects, on a large scale or processing on a large scale of special categories of personal data or else in case its required by the EU Member State in its national law. A Data Protection officer is responsible for formulating data protection strategy and to make organizations compliant with GDPR requirements.
GDPR lays down the task of DPO which is to inform and advise the organizations of their obligations to the Regulation. He monitors compliance with the regulation, providing advice about data protection and cooperates with the supervisory authority. DPO also has to play a passive role in data protection through, training staff and raising awareness on data protection.
Since DPO works for the data privacy of the organization, he must have authority and complete autonomy in his field. His involvement is essential in all decisions of the organization related to data protection. He is only accountable to the top management. He works independently to prepare mechanisms for data protection and should have direct access to the data processing activities. The Data Protection Officer must act as intermediaries between relevant stakeholders including supervisory authorities, data subjects, and business units within an organization.
In order to clarify and better understand the role of the DPO here are some pointers:
- He is not personally responsible in case of non-compliance with the GDPR.
- Must have sufficient autonomy and resources to carry out his tasks effectively.
- His has to maintain his Independence from any conflict.
- Must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. The availability of a DPO is essential to ensure that data subjects will be able to contact him if necessary.
Importance creates demand
The need for DPOs is going to rise exponentially, particularly in any data-rich industries. More than 28,000 will be needed in Europe and the U.S. alone and as many as 75,000 around the globe as a result of GDPR, the International Association of Privacy Professionals (IAPP) estimates. The increasing demand of DPOs is going to create a new discipline, both academically and professionally.