What is a Data Protection Officer?
The EU’s General Data Protection Regulation has been around since May 2018. If you find yourself under its jurisdiction, you should be aware that it has a requirement to appoint a Data Protection Officer (DPO) whose job is to monitor internal compliance and ensure the company or organization processes personal data in accordance with the applicable data privacy laws. The GDPR sets minimum responsibilities for a DPO that are centered upon the implementation of a data protection strategy and maintaining compliance with GDPR.
The Data Protection Officer is responsible for ensuring that the organization is compliant with GDPR by serving as the data protection expert within the organization and serving as the link between the employees and the members of the public who may find their information used and processed by the organization. The DPO will also be the person responsible for the timely response to data queries and access requests. Finally, the DPO is responsible for conducting data protection impact assessments.
The duties and expectations of a Data Protection Officer ranges depending on the size of the organization and the amount of personal data that it uses, creates or maintains. In larger organizations, there may even need to be multiple people that are dedicated to maintaining that company’s compliance with GDPR, CPRA, and other data privacy laws.
Related: What is a HIPAA Privacy Officer?
Data Protection Officer Responsibilities
Article 37(5) of the Regulation gives a brief description for the role:
“The DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
Briefly, the tasks the Data Protection Officer are responsible for are informing the company (whether they are data controller or data processor) of their data protection obligations, monitoring their compliance with GDPR and delegating responsibilities to parties within the organization, raising awareness of employees and staff through GDPR and data security training, advising and/or conducting data protection impact assessments and implementing policies and procedures to mitigate risks, and be the point of contact to engage with the information commissars office or relevant supervisory authorities by reporting data protection compliance failures or breaches.
The DPO should be able to operate independently yet have the full support from management and stakeholders within the organization to ensure that they have access to all resources to do their job, such as information technology, marketing, or legal. It is up to the controller or the data processor to provide all necessary resources to enable the DPO to perform their obligations.
Qualifications of a Data Protection Officer
Clearly the Data Protection Officer is a critical role in an organization as they may very well be the person responsible for overseeing the compliance with GDPR, CPRA, and other regulations overseeing data protection. With the potential for large fines for noncompliance, it is critical that the right person is designated the organization’s Protection Officer.
Generally, a DPO role will be assigned to an IT or legal expert. An existing employee can be designated the role, or DPO could be hired externally, Generally, the person selected for the role should be someone who is familiar with the day-to-day operations of the organization, with an emphasis on data processing activities. Regardless of their background, it is critical that they are able to work with and have access to business units that process personal data, such as the marketing team or the tools that they use. Due to the broad scope of the data protection legislation and the ever shifting threat landscape, it is a daunting task for one person to have continuous insight into both the regulatory environment and the technical infrastructure of a business.
A Data Protection Officer needs to have working knowledge of the following:
What is considered Personal Data
Before you take action to safeguard data, you should first know what it is you are trying to protect. Here is a broad list of data that is considered personal data by various data privacy laws:
- Name, which includes full names (first, middle, last name), maiden name, mother’s maiden name, alias
- Addresses: street address, email address
- Phone numbers: mobile, business, residential
- Asset information: internet protocol (IP), media access control (MAC)
- Any Personal identification number: social security number (SSN), passport number, driver’s license, state identification number, taxpayer identification number, patient identification number, financial account or credit/debit card
- Personal features: photographic images (that have distinguishing features e.g. show the face), x-rays, fingerprints, retina scan, voice signature
- Information identifying personally owned property: Vehicle Registration Number
Rights of Data Subjects Under Applicable Data Privacy Laws
The GDPR provides the following rights for individuals:
- The right to be informed of what data is being collected and process and for what reason
- The right of access, which allows a subject to be informed whether data is being processed and if so, access it
- The right to rectification, which means a data subject can correct inaccurate information
- The right to erasure which will allow a subject to request all of their data is erased
- The right to restrict processing, which allows the subject to limit the processing of his or her personal data (some rules and exceptions apply)
- The right to data portability
- The right to object, which allows data subjects to say they don’t want their personal data to be processed.
- Rights in relation to automated decision-making and profiling.
For more information on the rights of data subjects, refer to this article.
Know about Data Security Best Practices
Data Security is the practice of protecting information from unauthorized access, loss due to negligence, corruption, or theft. Data protection strategies will guard an organization’s assets in the form of business data and the data of your customers.
Be Able to Conduct Data Impact Assessments
The Data Protection Officer should conduct and monitor internal audits that assess the status of an organization GDPR compliance. Audits should be done regularly, quickly and easily with the help of a third-party service or lawyer.
Know Where Data is Stored and Processed
The Data Protection Officer needs to be able to understand how data moves and flows through the organization. They should be able to understand what data they're collecting, how they’re processing it, and who they are sharing it with. In addition to data mapping being an important part of GDPR compliance, this is an important first step in a data protection impact assessment (DPAI)
Be Able to Conduct a Data Protection Impact Assessment
A DPIA is a type of risk assessment to help an organization identify and minimize risk relating to your data processing activities. GDPR requires organizations to conduct a DPIA prior to processing data to allow the business to identify and mitigate risks. When an organization introduces new processes, systems, or technologies, it is also a good practice to conduct a new DPIA.
Be able to handle a Data Subject Access Request
As a Data Protection officer, you need to know your responsibilities for how to respond to a Data Subject Access Request. The GDPR allows Data Subjects the right to ask about what the organization will be doing with their data and who would be getting their data. The general idea is that a Data Subject can inquire about what information an organization has, what they are doing with it, and how long it will be stored. Additionally, the data subject can ask for a copy of it, can correct wrong information, and even request that you relinquish and delete all of it.
Incident Management and Remediation
In the event of a breach, the Data Protection Officer is responsible for taking immediate action. The officer should have processes and contingencies in place that can be quickly and easily implemented should a breach occur. The team should investigate the breach, including why or how it occurred, and then take appropriate actions to correct it in addition to notifying the relevant authority in the organizations' area.
What Tools Does a Data Protection Officer Need?
As the Data Protection Officer takes on the role of being the hub for GDPR compliance, training and management within the organization, it is a very important responsibility. GDPR is both long and confusing, presenting a challenge for the person who is assigned to be the Privacy Officer. Without the right tools, it can be very challenging for any individual to understand all of their organizations' data process activities and obligations under the various data privacy laws.
But with the help of a third party framework like Accountable, the Data Protection Officer will have all the information, processes, and documents that are needed right at their fingertips. We can help your organization understand the role of the data protection officer, the responsibilities they will need to fulfil, the qualities they should possess, and the information they should know will all help to choose or hire the best fit for your organization