HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

GDPR: What is the Role of the Data Protection Officer?

Many businesses required to comply with GDPR must appoint a Data Protection Officer, but what is the role of the Data Protection Officer and what types of companies are required to appoint a DPO?

The General Data Protection Regulation (GDPR) requires all companies that collect or process the personal data of EU residents to develop policies and procedures covering the collection, processing, and management of personal data of data subjects. GDPR also requires security controls to be implemented to ensure the confidentiality, integrity, and availability of personal data. The deadline for compliance with GDPR was May 25, 2018.

One requirement of GDPR is the appointment of a Data Protection Officer whose main role is to oversee compliance.

Does GDPR Require All Companies to Appoint a Data Protection Officer?

Article 37 of the GDPR explains the requirement for designating a Data Protection Officer in an organization. Generally speaking, large companies – those that employ more than 250 people – are required to appoint a Data Protection Officer. Smaller companies, those with fewer than 250 employees, may not be required to appoint a DPO, although that will depend on various factors, such as the amount of personal data that are processed, whether special category data are processed, and the nature of the business.

A Data Protection Officer must be appointed if processing is carried out by a public authority or body. A Data Protection Officer must also be appointed if the core activities of the controller or processor require regular systematic monitoring of data subjects on a large scale, or if core activities of a controller or processor consist of processing special categories of data on a large scale.

Any company that fails to appoint a Data Protection Officer must be able to demonstrate why they do not need to appoint a DPO. An internal analysis should be conducted and the decision not to appoint a DPO should be documented, including the reasons why. This document may need to be provided in the event of a compliance audit.

Who Can Be Appointed as A Data Protection Officer?

There is no requirement for a Data Protection Officer to have any specific qualifications, so it is not necessary to recruit a DPO externally. An existing member of staff can serve as an organization’s DPO, and a group of companies could appoint a single DPO, provided the DPO is easily accessible from each establishment.

The individual appointed as Data Protection Officer must have a significant amount of data protection experience and must be well versed in GDPR and understand its requirements in order for tasks to be performed effectively.

An employee can only be appointed as a Data Protection Officer if other duties in the company do not cause a conflict of interest. The DPO must be allowed to act independently without any influences. The DPO must report to the highest level of management at the data controller or processor and must be bound to secrecy about the performance of his or her tasks. A Data Protection Officer must be given sufficient resources to ensure it is possible for that individual to carry out his or her role effectively.

Further information on the position of the DPO can be found in GDPR Article 37.

What is the Role of the Data Protection Officer?

Article 38 of the GDPR covers the role of the Data Protection Officer. There are five essential tasks that must be performed by the Data Protection Officer.

  • The Data Protection Officer is required to inform and advise the controller or processor of their obligations under GDPR and also advise employees involved in the processing of personal data about GDPR requirements.
  • The Data Protection Officer must monitor compliance with the GDPR with respect to the protection of personal data and must raise awareness of responsibilities and train staff on processing operations.
  • Provide advice, as requested, on the data protection impact assessment and monitor its performance.
  • To cooperate with the supervisory authority
  • To act as a single point of contact in a company for the supervisory authority.

The role of the Data Protection Officer has been Summarized in the infographic below:

GDPR Data Protection Officer Duties

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.