The Data Protection Officer (DPO) Role Under the GDPR

DPOs (data protection officers) are independent data protection experts who are responsible for:

• Monitoring an organisation’s data protection compliance;
• Informing it of and advising on its data protection obligations;
• Reviewing and providing guidance on privacy policies, procedures and documentation relating to processing personal data;
• Acting as the contact point for data protection authorities for all data protection issues;
• Providing advice on DPIAs (data protection impact assessments), the manner of implementation and outcomes;
• Advising on data breach monitoring, management and reporting; and
• Advising on responses to privacy rights requests from individuals.

The GDPR (General Data Protection Regulation) requires many organisations to appoint a DPO to ensure their compliance.

We have a selection of products and services that can help you meet your GDPR data protection officer requirements, whether it is an outsourced solution, complementary support or certified training.

Our certified GDPR training courses offer a structured learning path that equips data protection and information security professionals and individuals who lack data protection expertise and experience with the specialist knowledge and skills needed to deliver GDPR compliance.

DPO as a service provides an outsourced DPO for organisations that do not have the internal resource to fulfil the role.

• Certified Data Protection Officer (C-DPO) Training Course
• Certified Data Protection Officer (C-DPO) Accelerated Training Course
• Data Protection Officer (DPO) as a Service

What does a DPO do?
The GDPR has increased the demand for DPOs, but not every organisation must appoint one under the Regulation.

Organisations must assess whether they need one and, if so, who they should give that responsibility to. Some legal requirements must be met, such as avoiding conflicts of interest, which can prove challenging.

Data protection officer roles and responsibilities
Articles 37–39 of the GDPR set out its DPO-related requirements:

• When one must be appointed (Article 37);
• The nature of their position in the organisation (Article 38); and
• The tasks they must carry out (Article 39).

Infringements of articles 37–39 leave organisations open to the GDPR’s lower level of administrative fines: up to 2% of annual global turnover or €10 million (about £8.5 million), so it’s essential to meet your DPO obligations correctly and in full.

The DPO’s tasks
The DPO reports directly to “the highest management level” in the organisation and has the following tasks under the GDPR:

• Informing and advising the organisation and its employees of their data protection obligations.
• Monitoring the organisation’s compliance with the GDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits.
• Advising on whether a DPIA is necessary, how to conduct one and expected outcomes.
• Serving as the contact point for the ICO (or other relevant supervisory authority) on all data protection issues, including data breach reporting.
• Serving as the contact point for data subjects on privacy matters, including DSARs (data subject access requests).

Who needs to appoint a data protection officer?
Mandatory appointment

Under the GDPR, the requirement to appoint a data protection officer is mandatory under three circumstances:

1. The organisation is a public authority or body.
2. The organisation’s core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
3. The organisation’s core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offences.

SMEs (small and medium-sized enterprises) are not exempt from the DPO requirements, should any or all of the above apply.

Other circumstances in which to appoint a DPO

The GDPR permits member states to specify other circumstances in which a DPO must be appointed.

Although the UK DPA (Data Protection Act) 2018 does not extend the GDPR’s requirements for DPOs, several other member state laws do.

German data protection law, for example, requires every organisation with ten or more employees that permanently processes personal data to appoint a DPO.

Voluntary appointment

Even where the GDPR does not specifically require a DPO to be appointed, it is highly encouraged by the EDPB (European Data Protection Board) as a matter of good practice.

However, the role of the DPO is defined by the GDPR. So, if you appoint a DPO, they must fulfil the requirements the law sets out for them. Failing to do so will leave your organisation open to regulatory action.

Therefore, if you are not legally obliged to appoint a DPO, you are better off appointing a GDPR manager or data privacy officer to oversee your GDPR compliance.

Like the official DPO role, this can be outsourced. The Data Privacy Manager Service  will provide you with fast and expert support from independent privacy lawyers, DPOs and cyber security experts.

Legal status of the DPO

A DPO has the same legal status whether the appointment is voluntary or mandatory. Organisations will be liable for the same penalties if the DPO role is not fulfilled correctly. Therefore, they might find it sensible to employ someone in a similar role to oversee data protection but with the freedom to be more involved in the practicalities.

No. The GDPR allows organisations to choose whether to appoint an internal or external DPO. The DPO may be a permanent staff member (internal) or acting under a service contract (external).

Either way, your DPO must be given the necessary resources to fulfil their tasks. Similarly, you need to consider the level of support your DPO may need to carry out their duties adequately.

With a shortage of individuals trained to handle the specific DPO responsibilities, outsourcing these tasks and duties can help your organisation address the compliance demands of the GDPR while staying focused on core business activities.

Whatever the decision, IT Governance can help your organisation fulfil the DPO role with  outsourced solutions,  training for internal development  and  support services.

No. The GDPR allows organisations to choose whether to appoint an internal or external DPO. The DPO may be a permanent staff member (internal) or acting under a service contract (external).

• Independence: The GDPR requires that the DPO operate independently and without instruction from their employer over how they carry out their DPO tasks. This includes instructions on what result should be achieved, how to investigate a complaint or whether to consult the ICO. Organisations also cannot tell their DPO how to interpret data protection law.

• No conflicts of interest: Although the GDPR allows DPOs to “fulfil other tasks and duties”, organisations must ensure that these do not result in a “conflict of interests” with the DPO duties. Most senior positions within an organisation are likely to cause a conflict (e.g., CEO, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR and head of IT).

The GDPR does not specify the credentials a DPO must have. However, the WP29 (Article 29 Working Party) published guidelines, which have been adopted by its successor, the EDPB, defining minimum requirements regarding the DPO’s expertise and skills:

• Level of expertise – understanding how to build, implement and manage data protection programmes is essential. The more complex or high-risk the data processing activities are, the greater the expert knowledge of data protection law and practices the DPO will need.
• Professional qualities – DPOs do not need to be qualified lawyers. Still, they must have expertise in national and European data protection law, including in-depth knowledge of the GDPR. DPOs must also have a reasonable understanding of what technical and organisational measures the organisation has in place and be familiar with information technologies and data security.

In the case of a public authority or body, the DPO should have sound knowledge of its administrative rules and procedures.

What is a data protection officer?
A Data Protection Officer (DPO) is an independent role within an organisation that oversees compliance with GDPR and data protection laws. The DPO advises on obligations, monitors policies and acts as a contact point with the ICO.

What does a data protection officer do?
A DPO ensures personal data is processed lawfully, advises staff on compliance, conducts audits, monitors training and manages communications with regulators and data subjects.

What responsibilities does the data protection officer have?
Key responsibilities include:

• Monitoring compliance with GDPR and the Data Protection Act 2018.
• Advising on data protection impact assessments (DPIAs).
• Raising awareness and training staff.
• Cooperating with the ICO and serving as the main contact point.

Who needs to appoint a data protection officer?
Under GDPR, organisations must appoint a DPO if they are a public authority, carry out large-scale monitoring of individuals or process special category data on a large scale.

Are public authorities required to appoint a data protection officer?
Yes. All public authorities and bodies, regardless of the type of data they process, are required by law to appoint a DPO.

Do I need a data protection officer?
You need a DPO if your organisation meets the GDPR criteria. Even if it’s not mandatory, many organisations appoint one voluntarily to demonstrate accountability and reassure clients.

Does every organisation need a data protection officer?
No. The requirement depends on the scale and type of processing. Small organisations may not need a DPO, but they must still comply with GDPR.

How to become a data protection officer
To become a DPO, you should have expertise in data protection law and practices, knowledge of IT systems and security and strong communication skills. Many DPOs complete GDPR training or certifications.