Better safe than sorry!

Data protection officer (DPO)

The General Data Protection Regulation (GDPR) requires a data protection officer (DPO), which is an enterprise security leadership role. Data Protection Officers are responsible for overseeing data protection strategy and implementation to ensure compliance with  GDPR requirements.

When the GDPR became effective, the DPO became a mandatory role for all companies that work with EU citizens’ data. DPOs also serve as the point of contact between the company and any Supervisory Authorities that oversee activities related to data.

As outlined in the GDPR Article 39, the DPO’s responsibilities include the following:

  • Educating the company and employees on important compliance requirements.
  • Training staff involved in data processing.
  • Conducting audits to ensure compliance and address potential issues proactively.
  • Serving as the point of contact between the company and GDPR Supervisory Authorities.
  • Monitoring performance and providing advice on the impact of data protection effort.
  • Maintaining comprehensive records of all data processing activities the company conducts, including the purpose of all processing activities, which must be made public on request.
  • Interfacing with data subjects to inform them about the usage of their data; their rights to have their personal data erased; and what measures the company has put in place to protect their personal information.

Do I need a DPO?

Article 37 of the GDPR introduces, for the first time, the role of DPO and according to the article the Controller and the Processor shall designate a DPO in any case where:

  • the processing is carried out by a public authority or body, except for circumstances when courts act in their judicial capacity;
  • the core activities of the Controller or the Processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the Controller or the Processor consist of processing on a large scale of special categories of data such as genetic or biometric data, health data and also personal data relating to criminal convictions and offences.

Hospitals, insurance companies, banks, companies processing online data for advertising purposes, and pharmaceutical companies that process sensitive personal data fall within the concept of large-scale activities.

Consequently, the above categories also include non-EU companies which work with the personal data of EU citizens. For that reason, GDPR impacts companies from all over the world, and the majority need a DPO. For more information on GDPR compliance, check out our article on the reach of GDPR outside of the EU. 

DPO services: What is f society offering?

f society is currently working with a number of Organizations to create a GDPR compliance roadmap.  Moreover, f society enables organizations to understand the steps one needs to take to ensure GDPR compliance.

f society can help its customers prepare for the GDPR.

It helps its customers, educate themselves and their workforce in relation to whose data is held, what data is held, why the data is held, how long the data should be retained for, and where the data is held/stored.

f society provides DPO Services.

The key to success is to begin the process as early as possible to allow for a smooth transition.