Since 2018, the General Data Protection Regulation (GDPR), a European privacy law that oversees the proper processing and protection of personal data, has been in force. The responsibility for compliance with the GDPR within an organisation lies with the management. To ensure that personal data is handled properly, management may be supported and advised by an employee with a specific job description, often referred to as a Privacy Officer (PO). In certain cases, such as government bodies or organisations that process personal data on a large scale, it is a legal requirement to appoint a Data Protection Officer (DPO).
Responsibilities of the Data Protection Officer
The Data Protection Officer’s role is to monitor and advise management on compliance with data protection legislation. The emphasis is on independent signalling and reporting.
The DPO therefore reports directly to the organisation’s management. Although the DPO is responsible for monitoring privacy laws and regulations, management is responsible for compliance. The DPO provides advice, but is not personally liable for compliance with the GDPR.
The DPO advises staff on privacy-related issues and provides training to increase internal knowledge in this area. In addition, the DPO assists in conducting a Data Protection Impact Assessment (DPIA) and in assessing data breaches. The DPO also liaises with data subjects and the regulatory authorities.
Requirements for the position of DPO
If an organisation is required to appoint a DPO under the GDPR, the position must be filled in accordance with certain requirements. These requirements are designed to ensure the independence of the DPO:
The DPO may not receive instructions in the performance of his or her duties;
Dismissal or other sanctions as a result of the performance of the DPO’s duties are not allowed, except in the case of poor performance;
The DPO must have adequate resources, time and access to systems to carry out his/her duties;
The DPO shall not hold any secondary positions that could potentially lead to conflicts of interest.
Does my organisation need a DPO?
The GDPR states that the appointment of a Data Protection Officer is mandatory for:
Public organisations and public authorities (excluding courts);
Organisations that process sensitive personal data on a large scale (such as data relating to health, religion or ethnic origin);
Organisations that “regularly and systematically” monitor individuals on a large scale.
Sometimes it is difficult to determine whether the latter criterion applies. This includes, for example, organisations that track individuals through their websites and build profiles based on interests and preferences. However, to qualify for the latter category, this must be the core activity of the organisation. So if you only collect data about the use of your website, you are not obliged to appoint a Data Protection Officer.
However, given the social importance of privacy and the risks to the organisation of inadequately protecting personal data (reputational damage, fines), it is advisable to appoint at least one member of staff as a point of contact for privacy and personal data. Even if your organisation does not fall into any of the above categories. In that case, appointing a Privacy Officer is a good choice. Both the DPO and PO roles can be filled internally, but they can also be outsourced.
Data Protection Officer vs. Privacy Officer
In practice, confusion frequently arises about the difference between the Privacy Officer and the Data Protection Officer.
Like the DPO, the role of the PO is to monitor compliance with privacy laws and advise management on this. However, unlike the role of the PO, the role of the DPO is defined by law.
Large organisations sometimes choose to appoint both a Data Protection Officer and a Privacy Officer for practical reasons. After all, this increases the number of employees dealing with data protection and GDPR compliance, while making it clear to customers and regulators who the organisation’s first point of contact is.
