Posted: 12/03/2018
The role of the Data Protection Officer, or the ‘DPO’ for short, is crucial for compliance with the EU General Data Protection Regulation for some...
The role of the Data Protection Officer, or the ‘DPO’ for short, is crucial for compliance with the EU General Data Protection Regulation for some organisations and, depending on where you are in the world, this role could also be required within your local data protection legislation. But what should the DPO do? Where should they sit in the overall structure of the organisation? Read our latest blog on the subject and find out if you need a DPO and what they should be responsible for.
Article 37 sets this out:
A DPO’s position is clearly written in the regulations:
The GDPR is mute on the topic of which function and at which level the DPO should be. This is causing some deep discussions and head-scratching for data controllers everywhere. With such a crucial role and time running out, data controllers and processors need to decide:
The requirements of the role are set out in the EU GDPR, and these will need to be translated into a job description, or a services contract if outsourcing.
Organisations tackling the task of analysing their DPO role and function might find the following questions helpful to ask themselves:
A DPO is going to be a crucial role in your organisation. Technical skills with a track record in data protection is going to be a given or at the very least, the ability to train up quickly. They will need to build great relationships internally and externally, train and advise and also hold the line to protect the individual’s data. They also cannot be penalised for doing their job. Considering all of this, it is not an easy pair of shoes to fill.An organisation might do well to hire with a well-balanced view on behavioural competencies as well as technical and also consider advanced selection tools and case study tests.
The GDPR allows you to consider insourcing or outsourcing the role. If insourcing you can consider a secondment to allow for rotation on the role and the opportunity to bring in fresh thinking, or permanent hire.If outsourcing there are various organisations that offer DPO outsourcing services and they can be contracted to provide full-time or part-time support. If you are part of a group of companies, you may also consider outsourcing within the group.The following is a summary checklist that can be used in order to assess how you might resource the DPO:
View Article 29 Data Protection Working Party
We hope that this article has been useful? We’re working with organisations who are answering these questions. If you want more information on a target operating model for a data protection officer, an approach to a GDPR project, online training materials or anything else, we are always delighted to hear from people. Contact Us.