July 23, 2020 | Reading time 12 minutes

Data Protection Officer (DPO) and their Role in GDPR Compliance

As you might know, in Article 37 of the GDPR compliance law, the authorities made it imperative for some companies to hire a Data Protection Officer (DPO); otherwise, the company risks staying non-compliant and facing the financial consequences of non-compliance. And these consequences happen to be crippling for most small-to-medium businesses.

While a DPO seems to be a key figure in the most extensive data privacy protection low, there are a lot of unanswered questions surrounding this position.

In this article, we will clarify the following:

  • What is a DPO, and what is his role in a company?
  • Does your company have to hire a DPO?
  • What are the DPO tasks, roles, and responsibilities?
  • What are the principal qualifications and qualities to look for in a DPO?
  • What to keep in mind when appointing a Data Protection Officer?

What is a Data Protection Officer

Since becoming compliant is a complicated multifactorial process that requires a deep understanding of the law, the GDPR authorities created a brand new role—Data Protection Officer—to help companies with this task.

DPO is one of the leadership roles required for public authorities and companies involved in data processing activities. The DPO is in charge of all data-related processes, and their main goal is to ensure that all these processes are in line with the law.

Their main task is to oversee, supervise, consult, and implement the GDPR-compliant data protection program, ensuring the company transition to compliance is going smoothly.

Usually, the Data Protection Officer is a proven specialist in privacy and data protection law who knows their way around the GDPR. Having a background in jurisprudence is a common practice for most DPOs, but it is not obligatory. As long as the skills and education/career background is relevant, the previous specialization of a DPO shouldn’t be a deciding factor when you hire one. We will talk about this more below.

Which companies are obligated to appoint a DPO?

Many companies’ leaders ask, “do we need a data protection officer?”

Despite the popular belief that everyone subject to the GDPR is required to appoint a DPO, it is not the case. Moreover, the EU GDPR doesn’t necessarily apply to your company at all, even if you are a company based in the EU.

In case you are uncertain whether the GDPR applies to you, here are the two main criteria you need to fit in to be subject to the GDPR:

  1. You are an EU-based organization that collects and processes data of EU residents.
  2. You are based outside of the EU, but you have customers and visitors from the EU whose data you collect or process.

If you have established that you have to meet the GDPR compliance requirements, it’s time to determine whether you need to hire a DPO.

If you can agree with at least one of the three following statements, you need to hire a data protection officer:

  1. Your company is designated as a public authority/institution/body.
  2. Your company collects and processes personal data to achieve its main objectives (e-commerce or healthcare). Processing data of your employees, suppliers, and partners is not included in this category.
  3. Your company collects, processes, and monitors specific data categories: criminal or medical records, information about political or religious views, and so on.

As you can see, the company’s size and location have little to do with whether you need to appoint a DPO.

Can I Hire a Data Protection Officer If I’m Not Obligated to?

Sometimes, companies that are subject to the GDPR may want to hire a DPO voluntarily simply because they need professional assistance. In case you need expert guidance to facilitate the GDPR-compliance process, the law doesn’t forbid hiring a DPO.

However, the voluntary DPO appointment isn’t different from the mandatory one in terms of the appointment criteria. You will have to go through the same paperwork, including DPO registration with supervisory authorities, and must abide by the same set of rules.

DPO: tasks, roles, and responsibilities

The main task of a DPO is to do everything necessary to ensure that the company guarantees and protects data subjects’ rights under GDPR. The implementation of all data protection processes is a complicated task, especially for a company with zero experience in that matter. Moreover, compliance is never a one-off thing, but a continuous process, so there is always a need to keep an eye on things.

And this is what the data protection officer is for.

The DPO orchestrates, manages, and supervises all the activities that are aimed at protecting users’ data and communicates the status to both internal and external parties. This includes:

  • Creating an effective step-by-step privacy program that is in line with the GDPR criteria
  • Supervising the entire implementation process of the program at all stages
  • Assuring that all the data processes are being conducted according to the GDPR standards
  • Reporting to the management, stakeholders, and all the parties involved on how the implementation process goes
  • Reporting to the management on the potential threats to data security and general integrity, and what can be done to eliminate them
  • Educating employees on the matters of data privacy and data protection under the GDPR
  • Training staff that is directly related to or involved in the data collection, processing, or storing
  • Keeping track of and recording all the operations that involve users’ personal data and the reasons for these operations to take place
  • Auditing the data processes to assess their performance and address possible problems proactively
  • Reporting on the progress of the implementation and maintenance of the data privacy program in the company to the GDPR authorities, stakeholders, and public/customers
  • Being a connective link between the organization and data subjects (users/customers). Communicating with data subjects on how their data are being handled, what rights do they have, and addressing all their requests concerning their data
  • Communicating with GDPR supervisors and being a connecting link between the organization and authorities

Important to know: The DPO is never held liable in case of non-compliance—it is always the data controller or processor (aka your organization) who answers for the breach of the regulation.

However, even if the breach occurs, having a DPO shows to authorities that the company takes the law seriously and has done everything to prevent the breach from happening, which is the primary purpose of the GDPR. If the breach has occurred because of the DPO’s actions, the company can designate another person in this role.

With all that being said, it’s clear that the DPO is a vital position for aligning your organization with the GDPR. So, how to find one? What to look at when searching for the DPO? Let’s find out.

Hiring a Data Protection Officer: Best Practices

So, what are the GDPR data protection officer requirements? What should you keep in mind when hiring one?

Well, according to article 39, a DPO must possess “professional qualities and, in particular, expert knowledge of data protection law and practices.” Yet, there are no definite criteria for how they should acquire these qualities.

By logic, the key point you should pay attention to is a sound understanding of the GDPR, best if it is both on paper and in practice. It makes the presence of some DPO certification that includes 30 to 60-hour training on GDPR matters essential in order for the DPO to perform their duties. Here are some of the places where they can be trained:

  1. IAPP Certifications
  2. TÜV in Germany
  3. IT Governance in the UK
  4. ISACA Certifications

As for other skills and qualifications necessary for the DPO job, here are some to look for:

  1. Experience in managing people. DPO is a leadership role, which requires the ability to take responsibility and manage resources and people.
  2. Ability to break down complex and abstract regulatory requirements into digestible steps to put the law into practice.
  3. Understanding your niche, industry, and its nuances.
  4. Ability to educate and explain. Educating your employees will be a massive part of the DPO’s job duties.
  5. Strong communication skills. The DPO is a go-between for your company, the board, and the users, so their communication skills must be as sharp as their GDPR familiarity.
  6. Deep understanding of the privacy laws within the EU or in other countries. This understanding may not necessarily come from legal experience. It also may come from a variety of sources and experiences, like a background in risk management.
  7. Grasp of IT security practices. As someone who will work closely with and give tasks to the IT department, the DPO has to be aware of the main cyber threats that put your security and, therefore, GDPR compliance at risk.

Happen to have a person within your company that matches the requirements? The law doesn’t forbid you from appointing your employee as DPO as long as there is no conflict of interest. If you can prove that and show the presence of all the required qualifications, you are free to appoint someone from your staff.

Personal data security is what the GDPR is all about, and the DPO is the one to put it in place. But there are many things to be done for your organization to be compliant and to secure your data.

How Spinbackup Facilitates Your GDPR Compliance

While DPO is your guide to compliance, your company (more specifically, the IT department) is still the one to do all the work.

Given all the data security requirements we speak about in our GDPR Compliance Checklist, your IT department may have a hard time implementing multiple data protection strategies. This process is complicated, takes time, and usually results in heavy overheads.

Spinbackup is a cybersecurity platform for G Suite and Microsoft 365 environments that reduces time and money losses by automating all the data security processes. Moreover, it makes all these processes visible, which enhances integrity and control over your data.

Here is what Spinbackup helps you with:

1. Data loss protection with encrypted 3x a day backup.

2. Ransomware protection.

3. Risk assessment (apps audit) of all connected applications.

4. Access management of all users.

5. Domain audit.

6. Insider threat protection.

7. Customizable security policies, regular reports, and much more.

Find out more about how we help you to reach compliance in the cloud.

Want to see Spinbackup in action?

Try SpinOne for free

Was this helpful?

Thanks for your feedback!
Avatar photo

Vice President of Product

About Author

Davit Asatryan is the Vice President of Product at Spin.AI

He is responsible for executing product strategy by overseeing the entire product lifecycle, with a focus on developing cutting-edge solutions to address the evolving landscape of cybersecurity threats.

He has been with the company for over 5 years and specializes in SaaS Security, helping organizations battle Shadow IT, ransomware, and data leak issues.

Prior to joining Spin.AI, Davit gained experience by working in fintech startups and also received his Bachelor’s degree from UC Berkeley. In his spare time, Davit enjoys traveling, playing soccer and tennis with his friends, and watching sports of any kind.


Featured Work:
Webinar:

How Can You Maximize SaaS Security Benefits?

Let's get started with a live demo

Latest blog posts

cloud to cloud backup solution

Why do you need C2C backups for your online business?

The amount of business-critical data stored in the cloud is increasing exponentially. So are the chances of data loss. Human […]

soc 2 compliance

SOC 2 Compliance Guide for Google Workspace

Security and privacy are paramount with cloud computing and Software as a Service (SaaS), ensuring the security of customer data. […]

ISO Compliance for Google Workspace Admins

ISO Compliance Guide for Google Workspace Administrators

ISO compliance has been a buzzword in data protection circles for quite some time. In a world where compliance regulations […]