A Data Protection Officer (DPO) can be an employee of the company. In larger companies, the responsibilities often justify a full-time position, while a full-time DPO may require too much overhead for smaller companies and startups.
The Position of DPO
A designated DPO has to report directly to the highest organ of the company, often the CEO or board. They require unrestricted access to all data processed by the company. He or she is also responsible for the compliance of the company, and in particular for ensuring that there is proper communication with the authorities in the event of a data breach or a similar incident. The DPO also deals with subject access requests and make sure data records are organized and ready for review whenever needed.
Who should be appointed as DPO?
It is important to note that in most situations, the role of DPO cannot be combined with certain other roles (such as CEO, CTO, legal counsel or external legal advisor or lawyer) as these dual roles would constitute a conflict of interest. The DPO must have the freedom and independence to independently report breaches to the authorities.
When is a DPO required?
A DPO is required in particular when a company engages in the large-scale processing of special data categories related to criminal convictions or offenses, as well as when core activities include processing special data categories on a large scale.
Certain local laws might also determine additional conditions that require a DPO appointment. (Germany, for example, requires an appointed DPO as soon as 10 or more employees are involved in the processing of data.)
When a company does not have either the interest or capacity to appoint an internal DPO, a viable alternative is assigning this role to an external service provider, such as TechGDPR. Assigning this role to GDPR experts demonstrates a measurable effort to regulators and builds a better case for compliance—important leverage to have when confronted by a complicated data protection situation.
What are the core tasks of a Data Protection Officer (DPO)?
- To inform and advise the data controller or the data processor and the employees who carry out processing of their obligations.
- To monitor compliance with the GDPR, with other provisions and with the data protection policies of the controller or processor.
- To assign responsibilities, awareness-raising, and training of staff involved in processing operations.
- To perform or lead GDPR related audits.
- To provide advice about data protection impact assessment.
- To cooperate with the supervisory authority.
- To act as the contact point for the supervisory authority on issues relating to processing.
- To be responsible for any prior consultation.
- To have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Which companies are required to appoint a data protection officer?
Not every company that is involved in processing personal data requires a DPO. If personal data is not core to your business, and/or if the processing is on a small scale and no special categories of data are being used, a DPO might not be required. If you are not required (yet) to appoint a DPO, doing so could still alleviate work and responsibility, as it will generally help to demonstrate compliance effort.
Appointing TechGDPR as your company’s DPO provides a cost-efficient solution at an affordable monthly fee.
TechGDPR can help your company become GDPR compliant through a variety of services, including serving as your company’s DPO. Contact our team and we will be quickly respond with a framework to discuss your unique GDPR compliance needs.
If you prefer to call, we can be reached at: +49 (0)30 5490 8661