Do you need a Data Protection Officer under the GDPR?

Last updated: 2021-02-05 — GDPR

Since the European Union’s General Data Protection Regulation came into effect in May of 2018, there has been a lot of conversation centred on the changes that organizations need to make in order to comply with the new rules. One of the less discussed and more intriguing angles of the GDPR is who will be responsible for making those changes within an organization.

For many organizations, becoming GDPR-compliant includes designating an official Data Protection Officer (DPO).

That’s not a familiar job title for a lot of employers, so let’s look a little deeper at what a Data Protection Officer’s role entails. The short answer is that the DPO is tasked with making sure that an organization’s data processing operations are up to GDPR standards, and offering advice and guidance toward reaching that goal.

What does a Data Protection Officer do?

The GDPR requires a Data Protection Officer to have “expert knowledge of data protection law and practices” that allows them to advise data controllers and processors on GDPR requirements. That might involve:

  • Leading employee training sessions
  • Assigning responsibilities for data protection
  • Preparing staff for data audits
  • Assessing the risk of various data operations

The DPO also serves as the liaison between your organization and the authorities, supervising your data collection and processing.

As for the “protection” part of the job title, a DPO is expected to be active on multiple fronts:

Essentially, a DPO serves as an in-house expert who can usher an organization through the often complicated landscape of processing data in the GDPR era. While the required skills are quite specific, the GDPR actually allows a fair amount of leeway in who can fill the role. Your DPO may be hired from within your organization or as a third-party contractor. The DPO can be either a full- or part-time position, so long as their work meets GDPR criteria. In some cases, several organizations can even share the same DPO.

Keep in mind, though, that it is important to avoid any potential conflicts of interest. If you’re considering appointing someone from your organization who is already involved with collecting or processing user data, you might be well-advised to look elsewhere.

Also remember that independence is an essential component of the DPO position: Your Data Protection Officer should not report to any direct supervisor other than top-level management, cf. article 38 (3), and must be given unencumbered access to all data collection and processing operations within your organization.

It’s important to note that your DPO isn’t held personally accountable if your organization does not comply with the GDPR. The sole responsibility still lies with the organization itself.

Who needs to hire a DPO?

Not every organization needs to appoint a Data Protection Officer to stay GDPR-compliant. The need for a DPO isn’t determined by the size or budget of your company (although early drafts suggested a DPO would be required for any private company with more than 250 employees), but rather by the sort of data your company processes and the way it is processed.

Article 37 (1) of the GDPR states that a DPO is required for:

  • Any public authority or body (with the exception of courts and other judicial authorities)
  • Organizations where the core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale
  • Organizations where the core activities consist of processing on a large scale of special categories of data:
    • Race or ethnic origin
    • Political opinions
    • Religious or philosophical beliefs
    • Trade union membership status
    • Health status
    • Sexual orientation and history
    • Genetic or biometric identity

That consideration makes things easier for private companies that don’t deal in regular, automated data monitoring or highly personal information. However, it’s not a bad idea to appoint an info-security manager even if it’s not required to monitor and manage data. (Just remember not to use the title “Data Protection Officer” if you aren’t regulated by the GDPR.)

If you do need to hire a DPO, that shouldn’t be considered a burden. Beyond keeping your organization compliant with GDPR standards, a DPO (or at a minimum, an info-security manager) can provide guidance and education that help you manage data more efficiently, plan future data-based strategies, and increase consumers’ confidence in your website.

Have you automated your GDPR web compliance process? Siteimprove Data Privacy locates the personal data you handle online so you can pinpoint and remove that data across your websites, minimizing the risk of fines and other legal consequences.

Learn more about Siteimprove GDPR