X Blogi

What is a Data Protection Officer and why your company might need one

Julkaissut XCure 7.5.2020 11:25


In our second article about data protection law, our focus will be one of the main innovations brought by GDPR, the creation of the role of the Data Protection Officer. We will explain what a DPO is, what it does, and when it is necessary for an organization to have one.

The General Data Protection Regulation of the European Union came into force in 2018, but many companies still haven’t taken the necessary measures to become fully compliant with it. It is to help organizations in the journey towards compliance that XCure has created a new series on LinkedIn about data protection law.

In our second article, our focus will be one of the main innovations brought by GDPR, the creation of the role of the Data Protection Officer. We will explain what a DPO is, what it does, and when it is necessary for an organization to have one.

What is a Data Protection Officer and when do you need to have one?

A DPO is the person responsible for overseeing GDPR compliance within an organization. While all organizations need to have someone tasked with monitoring compliance, hiring a DPO is not always mandatory.

Because of this, it is extremely important to be sure whether or not your company needs one. Failing to appoint a DPO in mandatory cases is a serious infringement that can lead to fines of up to €20 million or 4% of the company’s worldwide annual revenue from the previous year, whichever amount is higher.

According to GDPR, there are three main cases in which having a Data Protection Officer is mandatory:

  • When the processing of personal data is done by public authorities;
  • When the core activity of the organization involves regular and systematic monitoring of data subjects on a large scale;
  • When the processing of special categories of data is part of the organization’s core activity and is done on a large scale.

It is important to define the terms “core activity” and “large scale”. A “core activity” means a key operation to achieve a controller’s or processor’s objectives. For example, the processing of health data about patients is key to the functioning of a hospital, which makes the appointment of a DPO mandatory.

The determination of whether something happens on a “large scale”, by its turn, depends on four main factors: the number of data subjects involved, the volume of data or range of different data items, the duration or permanence of processing, and the geographical coverage of processing.

Who can be a DPO?

he GDPR doesn’t have strict requirements or credentials to determine who can work as a Data Protection Officer. It determines, however, that the person must be appointed based on professional qualities, especially in regards to expertise and knowledge about data protection law. The Regulation also notes that a DPO’s qualifications must be proportional to the type of processing done by the organization and the level of protection required from it.

What are the main tasks and responsibilities of a Data Protection Officer?

Articles 38 and 39 of the GDPR define the six main tasks of a DPO:

  • Inform and advise the organization and its employees about GDPR and other data protection laws;
  • Receive comments and questions from data subjects about the processing of their personal data;
  • Monitor an organization’s compliance, train staff, and perform audits;
  • Advise, perform and monitor data protection impact assessments (DPIA);
  • Cooperate with the data protection supervisory authority (DPA);
  • To act as the first point of contact with the DPA.focal point for the data protection supervisory authority on matters relating to the processing of personal data and other matters, where appropriate.

While performing these tasks, a DPO always needs to take into account the risk associated with the processing. This is done through the analysis of the nature, context, scope, and purpose of the processing of personal data in each case. A Data Protection Officer needs also to prioritize riskier activities, for instance, when the processing involves special category data or can have a damaging impact on data subjects.

Now that you understand what a DPO is and what it is responsible for. To learn more about other aspects of data protection law, don’t forget to follow our LinkedIn page to keep up to date with all of our special content about it!

We know compliance can be a challenging journey, and this is why we have developed the Privacy Management Tool. With it, you can map, document and maintain the requirements of data protection in your organization. Try it now for free!

Contact XCure team, if you want more information or presentation about the Privacy Management Tool.

Aiheet: EU:n tietosuoja-asetus, GDPR, Tietosuoja-asetus, Tietosuojatyökalu, Privacy Management Tool