In our second article about data protection law, our focus will be one of the main innovations brought by GDPR, the creation of the role of the Data Protection Officer. We will explain what a DPO is, what it does, and when it is necessary for an organization to have one.
The General Data Protection Regulation of the European Union came into force in 2018, but many companies still haven’t taken the necessary measures to become fully compliant with it. It is to help organizations in the journey towards compliance that XCure has created a new series on LinkedIn about data protection law.
In our second article, our focus will be one of the main innovations brought by GDPR, the creation of the role of the Data Protection Officer. We will explain what a DPO is, what it does, and when it is necessary for an organization to have one.
A DPO is the person responsible for overseeing GDPR compliance within an organization. While all organizations need to have someone tasked with monitoring compliance, hiring a DPO is not always mandatory.
Because of this, it is extremely important to be sure whether or not your company needs one. Failing to appoint a DPO in mandatory cases is a serious infringement that can lead to fines of up to €20 million or 4% of the company’s worldwide annual revenue from the previous year, whichever amount is higher.
According to GDPR, there are three main cases in which having a Data Protection Officer is mandatory:
It is important to define the terms “core activity” and “large scale”. A “core activity” means a key operation to achieve a controller’s or processor’s objectives. For example, the processing of health data about patients is key to the functioning of a hospital, which makes the appointment of a DPO mandatory.
The determination of whether something happens on a “large scale”, by its turn, depends on four main factors: the number of data subjects involved, the volume of data or range of different data items, the duration or permanence of processing, and the geographical coverage of processing.
he GDPR doesn’t have strict requirements or credentials to determine who can work as a Data Protection Officer. It determines, however, that the person must be appointed based on professional qualities, especially in regards to expertise and knowledge about data protection law. The Regulation also notes that a DPO’s qualifications must be proportional to the type of processing done by the organization and the level of protection required from it.
Articles 38 and 39 of the GDPR define the six main tasks of a DPO:
While performing these tasks, a DPO always needs to take into account the risk associated with the processing. This is done through the analysis of the nature, context, scope, and purpose of the processing of personal data in each case. A Data Protection Officer needs also to prioritize riskier activities, for instance, when the processing involves special category data or can have a damaging impact on data subjects.
Now that you understand what a DPO is and what it is responsible for. To learn more about other aspects of data protection law, don’t forget to follow our LinkedIn page to keep up to date with all of our special content about it!
We know compliance can be a challenging journey, and this is why we have developed the Privacy Management Tool. With it, you can map, document and maintain the requirements of data protection in your organization. Try it now for free!
Contact XCure team, if you want more information or presentation about the Privacy Management Tool.