Data Protection Officers

Under the GDPR both Data Processors and Data Controllers are obligated to appoint a data protection officer (DPO) in three possible situations:

  • Where they are a public body;
  • Where core activities require regular and systematic monitoring of personal data on a large scale; and
  • Where core activities involve large scale processing of special categories of data.

Group companies can appoint a single DPO, provided the DPO is easily accessible from each establishment.

DPO’s must be selected based on professional qualities and expert knowledge of data protection law but do not need to be legally qualified. DPOs can either be an employee or contractor.

DPOs must be informed of all data protection issues within the organisation in a proper and timely manner, be provided with the necessary resources to carry out his/her tasks and have access to all personal data and processing operations.

The minimum duties of a DPO include:

  • Informing and advising the data controller or data processor and employees processing personal data of their obligations;
  • Monitoring compliance with the GDPR and any other relevant EU or national legislation;
  • Cooperating with the applicable supervisory authority and acting as the contact point for any issues that arise; and
  • Advising on DIPAs and monitoring their impact.

The DPO shall be independent from the data controller or data processor that appoints him or her, and specifically must not be instructed on how to carry out the required tasks listed above. The DPO must report directly to the highest level of management and shall not be dismissed or penalised for performing his/her tasks.

This effectively provides the DPO with a special “protected status” within an organisation, and may create challenges for employers if there is need to take legitimate performance management or other action against a DPO in the context of the employment relationship.

 Practical Steps

  • Review the current job spec of your organisation’s DPO and consider whether it is appropriate;
  • Consider the practical issues surrounding the DPO appointment (e.g. independence, separate function to legal, separate budget, report directly to the board);
  • Consider any jurisdictional issues involved with the appointment and whether multiple DPOs should be appointed to cover different jurisdictions;
  • Does the DPO require a support team to fulfil his/her role efficiently?