A common question about GDPR compliance is whether a Data Protection Officer (DPO) is required for all businesses. A DPO is an independent expert who is hired to oversee an organisation’s compliance with data protection and privacy laws.
While it’s widely assumed that only large companies need to hire a DPO, it really depends on what an organisation’s core data processing activities are, i.e. the types of data they collect and how they use it. Let’s look at the roles and responsibilities of a DPO, and the criteria under which hiring one is mandatory.
A DPO is employed to provide expert advice on and implement a strategy to meet an organisation’s data protection and privacy obligations. They should be well-versed in areas such as privacy law, cybersecurity, and risk management.
If hired internally, the organisation must choose an employee who isn’t subject to a conflict of interest. For example, a company’s Chief IT Officer cannot also be their DPO.
A DPO is involved in all issues related to the protection of personal data and reports to the highest management level of their organisation.To this end, the DPO must be given the authority to access information about and investigate an organisation’s data processing activities.
According to the GDPR, a DPO’s key responsibilities include:
While a DPO has a diverse and wide-ranging set of roles and responsibilities, they are not personally responsible for GDPR compliance. Rather, the organisation will need to demonstrate compliance by equipping their DPO with adequate resources and support to carry out their responsibilities.
The GDPR also makes special note that the DPO should not be penalised for or obstructed from doing their job.
No, not all businesses need to hire a DPO in order to comply with the GDPR. According to Article 37 of the GDPR, there are three instances in which a data controller must appoint a DPO:
While a DPO can spearhead GDPR compliance initiatives, getting compliant isn’t a one-person job: it requires a coordinated effort that must be supported by all sides of an organisation.