DPOs Monitor Privacy Risk and Compliance for Their Organization
While the position of Data Protection Officer (DPO) had existed in countries like Germany and France since the 1990’s, GDPR crystallized the need and role of the position. GDPR Articles 37, 38 and 39 define the roles and responsibilities of the DPO and Articles 8 and 9 define its data responsibilities. The DPO should monitor overall privacy risk and compliance for their organization and act as the conduit with national supervising authorities.
The Data Protection Officer (DPO) is a closely related role to the CPO. The DPO is a mandated role in GDPR who works with the local Data Protection Authority (DPA) to ensure compliance with the regulation. Very few companies have combined the roles as the CPO is seen as an advocate for the company while the DPO is an advocate for the DPA. Section 4, articles 37-39 define the role and responsibilities of the data protection officer.
What are the primary tasks of the DPO?
- Monitoring compliance with GDPR and other data protection laws.
- Training and audit of compliance.
- Provides consultation on DPIAs.
- Is the contact for the supervisory authority.
- Advises on risk relating to data processing activities.
From the GDPR text, this is how the regulation defines DPO responsibilities:
- The data protection officer shall have at least the following tasks:
a. to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;b. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;c. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;d. to cooperate with the supervisory authority;e. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
- The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.