General Data Protection Regulation (GDPR) is a privacy protection law that has far-reaching implications. And at the root of it all are the significant structural changes that the organisations have to make to be compliant with the GDPR. The compliance cost is huge, and no one wants to be on the wrong side of GDPR. Appointing a Data Protection Officer (DPO) happens to be one such requirement. However, it is not an entirely fresh concept. Many organisations already have such a role in place either as a mandatory requirement in their country or to set the industry benchmark. But, for the first time, outsourcing a DPO has become a compulsory requirement for such a large pool of organisations.
Under GDPR, is it compulsory for every organisation to hire a data protection officer? What are their roles and responsibilities? Who do they report to? And many such questions are still lingering in the minds of the executives who have been entrusted with the task of making their respective organisations GDPR compliant. Everything one needs to know about a DPO is present here.
Who is a Data Protection Officer (DPO)?
A DPO is a leadership position in the GDPR document. The primary responsibility of the DPO is to make sure that a proper GDPR strategy is in place in organisations and to supervise its smooth implementation. It is necessarily an executive-level position in organisational data management and security.
Does Every Company Need a DPO?
To hire a Data Protection Officer is essential when an organisation falls into one of the following categories:
Public Authority:
If a public authority is processing the user data, then they have to appoint a Data Protection Officer (DPO).
Core Data processor and controllers:
Organisations that carry out ‘regular and systematic processing’ of data as their core activity must also fulfil this mandatory requirement. For data processing to be considered a core activity, it should be critical to the operations and goals of the organisation. For instance, IT and HR management are support functions and not the core activities of an organisation. Then, there is the term ‘regular and systematic’ which means at regular intervals. As per a pre-determined arrangement, monitoring of data subjects, profiling them, and so on. By the way, it is irrelevant whether the collection and systematic monitoring of data are taking place online or offline. Once the data is collected and is being processed, it comes under the purview of the GDPR.
Large-scale data processor and controllers:
Organisations that process data of data subjects on a large-scale also have to appoint a Data Protection Officer (DPO) as a mandatory requirement. Again, article 29 working party states that to be considered a large-scale processor, it is not just the volume of the data that is being processed is under consideration. Multiple other factors must be taken into account.