Appointing a data protection officer

A Data Protection Officer, or DPO can be an employee of the company and will in larger companies often justify a full time position. For smaller companies and startups this may often be too much overhead.

The position of DPO

A designated DPO has to report directly to the highest organ of the company, often the CEO or board. They require unrestricted access to all data processed by the company. He or she is also responsible for the compliance of the company, and in particular for ensuring that there is proper communication with the authorities in the event of a data breach or a similar incident. They then also deal with subject access requests and make sure data records are organized and ready for review whenever needed.


Who to appoint as DPO?

It is important to note that in most situations the role of DPO can not be combined with for example the role of CEO, CTO, legal counsel or external legal advisor or lawyer, as this would constitute a conflict of interest. The DPO will need to have the freedom and independence to independently report breaches to the authorities.

When is a DPO required?

A DPO is required in particular when a company engages in the large-scale processing of special data categories related to criminal convictions or offenses, as well as when core activities include processing special data categories on a large scale.

It also still may be required under certain local laws to appoint a DPO (Germany, for example, requires an appointed DPO as soon as 10 or more employees are involved in the processing of data). It’s also typically good practice to assign a specific person or external service provider, such as TechGDPR, to this role.  Doing so demonstrates a measurable effort to regulators and builds a better case for compliance – a helpful thing to have when in a tricky data protection situation.

What are the core tasks of a Data Protection Officer (DPO)?

  • To inform and advise the controller or the processor and the employees who carry out processing of their obligations.
  • To monitor compliance with the GDPR, with other provisions and with the data protection policies of the controller or processor.
  • The assignment of responsibilities, awareness-raising and training of staff involved in processing operations.
  • To perform or lead GDPR related audits.
  • To provide advice about data protection impact assessment.
  • To cooperate with the supervisory authority.
  • To act as the contact point for the supervisory authority on issues relating to processing.
  • Be responsible for any prior consultation.
  • To have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Who needs a data protection officer?

Not every company that is involved in processing personal data requires a Data Protection Officer, if personal data     is not core to your business, if the processing is on small scale and no special categories of data are being used there is a good chance no DPO is required. If you are not required (yet) to appoint a DPO it may still take responsibility and work out of your hands, and will generally help to demonstrate compliance effort. We offer the cost-efficient solution of appointing a TechGDPR DPO at an affordable monthly fee.

We can provide a DPO for your organisation.
Click here to find out more.