GDPR includes provisions  to set out the role and responsibilities of the designated Data Protection Officer (“DPO”).

Specifically:

  • The organisation must ensure that the Data Protection Officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.  In particular the DPO must be involved in the conduct of data protection risk assessments known as “Data Protection Impact Assessments“.
  • The organisation must support the DPO in performing the mandatory tasks by ensuring that they have:
    • resources necessary to carry out the tasks,
    • access to personal data and to data processing operations, and
    • resources to maintain their expert knowledge.
  • The organisation must ensure that the DPO does not receive any instructions regarding the exercise of required tasks.
  • There must be no penalties on the Officer for performing the tasks required of the DPO.
  • The organisation must ensure that the Data Protection Officer does not have any conflict of interest when carrying out the role.
  • The Data Protection Officer must report direct to the highest management level in the organisation.

These requirements are is taken from the Regulation, they set out the duty to avoid conflict of interest and not receiving instructions that can compromise the independence of the role.  These are the parameters of the role, it is a statutory role with specific responsibilities, not to be taken lightly.

Key issues in approaching the DPO role

  • Raise awareness of the role and its responsibilities at board or senior management team level.  The DPO will require their support and acceptance if the role is to be undertaken properly.  Everyone must understand the constraints within which the Data Protection Officer works and the impact on the organisation.
  • Make the right selection of DPO, it must be someone reasonably senior who understands the business, after all you can bolt on data protection knowledge but it takes months, if not years, to really understand how a business works.
  • On an ongoing basis the DPO needs to
    • check the compliance of the organisation with GDPR and
    • check the integrity of their own role as DPO.

These are two separate objectives.  In both cases the DPO is not responsible for ensuring compliance, no one person can ensure compliance.  The role involves checking the controls are in place and their effectiveness and reporting the findings back to senior management.

  • As ever with GDPR, keep good records of all of this activity.

What we can do to help

Our DPO Support Package includes a flexible calendar of compliance checks supported with mini audit forms to guide checkers and record their findings.  It also includes a bank of questions and answers for DPOs to test the effectiveness of data protection training, we included two levels, general staff awareness and manager level awareness. The DPO Support Package can save time developing an annual programme of documented checks and deciding what checks to undertake.  It suggests which checks can be undertaken by colleagues with findings reported back to the DPO.  It includes checks on the integrity of the DPO role as well as those on the compliance of the organisation with GDPR.  We also offer Data Protection Compliance Support, a maintenance programme for smaller businesses to save time when dealing with data protection issues and to save money by avoiding expensive legal fees.  See our products and services pages for more information.