Will the ePrivacy Directive update put an end to cookie banners?
What's all this about the European Commission revisiting the ePrivacy Directive?
A guide to designating a Data Protection Officer (DPO)
Compliance sucks.
We make it simple.
Create a tailored Privacy Policy, Terms & more in under 5 minutes.
If your business is required to comply with the EU GDPR or the UK GDPR, you may need to appoint a Data Protection Officer (DPO) to oversee your organizations data processing practices. This guide is for businesses who want to understand what a DPO is, whether they need one, and how to choose the right person for the job.
Privacy compliance shouldn't be a headache!
Simplify compliance todayWhat is a Data Protection Officer?
A Data Protection Officer (DPO) is a person designated by an organization and tasked with monitoring, advising, and upholding the business’s compliance obligations. They report directly to the highest management level and act as the primary contact point for supervisory authorities and data subjects regarding inquiries about data processing within the organization.
Do all organizations need a DPO?
No, not all organizations are legally required to have a DPO. Only in specific cases (outlined in the GDPR) is a DPO legally required. However, even if not mandatory, you may voluntarily appoint a DPO. In fact, we recommend that you do.
When does a company legally need to appoint a DPO?
Your organization is legally required by the GDPR to designate a DPO if:
-
Your organization is a public authority or body: This requirement does not apply to private businesses. Public authorities include ministries, municipalities, regulatory bodies, state agencies, and government-funded entities that exercise public power. We only mention this in case a reader is the employee of a local council, public hospital, etc.
-
Your business’s core activities involve tracking and profiling individuals on a large scale: You must appoint a DPO if your business regularly and systematically monitors data subjects on a large scale. Examples include social media platforms, facial recognition service providers, and telecommunications companies.
-
Your business’s core activities involve processing high-risk categories of data on a large scale: You must appoint a DPO if your business processes special categories of data or data relating to criminal convictions and offenses. Examples include medical practices processing large quantities of health records, genetic testing companies, biometric security firms, or healthcare platforms managing medical data for thousands of patients regularly.
“Core activities” relate to an organization’s primary operations, not ancillary personal data processing.
Who can I designate as my organization’s DPO?
In accordance with the GDPR, your DPO must be designated based on their professional qualities, their knowledge of the GDPR, their understanding of your organization’s data processing practices, and their ability to fulfill their tasks.
- They can be an employee or an external contractor.
- They must be involved in all issues relating to data protection.
- Your business must provide the necessary resources, access to personal data and processing operations, and support their expert knowledge.
- They must operate independently, receiving no instructions regarding their tasks, and cannot be dismissed or penalized for performing their duties.
- Other tasks may be assigned, but they must not create a conflict of interest.
Remember, all DPOs have to start somewhere, so don’t be too critical of who you assign. However, as a baseline, we highly recommend choosing someone who is skilled with technology, bonus points for anyone with experience in risk assessments and compliance audits. Since much of the job involves assessing data flows and entry points through software, designating someone with minimal technological literacy will hinder your organization’s compliance.
Who cannot be a DPO?
The GDPR requires that your DPO to operate independently (in relation to their DPO responsibilities), without instruction or conflicts of interest, and with sufficient time to carry out their responsibilities. In practice, this rules out anyone who:
-
Makes decisions about data collection or usage (e.g., CEO, CFO, or upper management)
-
Has marketing, sales, or profit responsibilities (e.g., Marketing & Sales Directors)
-
Is accountable for the performance of IT systems processing personal data (e.g., IT Managers)
-
Lacks time for ongoing training and development
Key DPO responsibilities
The breadth of responsibilities you assign to your DPO depends on your business and the risks involved in your data processing practices. However, there are some tasks that all DPOs must carry out.
At a minimum, the GDPR requires your DPO to:
-
Educate and advise your business and staff on data protection law compliance
-
Check that your business follows data protection rules, train staff, assign responsibilities, and conduct regular audits
-
Help with privacy risk assessments for new projects and oversee their completion
-
Work directly with government data protection authorities
-
Serve as the main contact person for regulators on all data processing matters
Do I need to register my DPO?
No, there is no mandatory requirement to register your DPO with supervisory authorities. You only need to publish your DPO’s contact details in your privacy policy and communicate them to supervisory authorities and data subjects if they inquire about data processing within your organization.
Related Articles
Why Google reCAPTCHA is breaking your forms
Find out why reCAPTCHA spam protection may be breaking your contact forms
Geo-location based cookie banner settings are LIVE!
Do you need to do anything? If you want to take advantage of either of these updates, then yes. Otherwise,…
