What does a Data Protection Officer do?

A question I was asked recently by a curious client was simply “What does a Data Protection Officer
do?”. I gave them as much information as possible and sat with them to discuss the options they
had going forward with regards to filling the role they needed.

We chatted about whether they had somebody internal to fit the role, what training and knowledge
that person would require, would there be enough work for them to justify the role full time and
also the threat of the person walking away once trained up and finding a role at another company.
Data Protection Officers are in big demand, there is a shortage of them across the whole EU and well
qualified individuals are highly sought after and accordingly good ones don’t come cheap.

A Data Protection Officer (DPO), is responsible for GDPR compliance within an organisation.
Organisations that employ over 250 employees, perform large scale processing of personal data, or
process special category data, are required to appoint a DPO. For other organisations that do not
meet these criteria, the appointment of a DPO is still recommended as a ‘best practice’.

The DPO is seen as an extension of the Information Commissioners Office. He or she can be
contacted by the ICO to provide information, and the DPO is to notify the ICO of any data breaches.
It is vital that whomever is appointed as your DPO (whether it’s an internal staff member or
external) has the knowledge, support and authority to carry out their role effectively. This often
means they need backing by the very highest level of management within the business need to be
given the freedom to carry out their work without fear of being penalised.

Due to the skillsets needed regarding knowledge and competence, people with sufficient skills will
be hard to find and in great demand. I’ve heard some advice being given by GDPR providers that the
DPO role “cannot” be done internally as it breaches regulations but this is complete rubbish. The
role can comfortably be done internally provided the person is not involved in making decisions
about how data is processed, has independence, knowledge, and authority within the business to
perform the role effectively.

Realistically many smaller businesses will not have enough work to justify a full time DPO role and in
these cases outsourcing that function may well be their best option.

The DPO’s responsibility is to ensure GDPR compliance by managing the data register, conducting
Data Protection Impact Assessments (DPIAs), and following up on security measures, agreements
with processors and privacy notices. In addition, he or she has a number of other ‘continuous’ tasks,
such as organising ‘security awareness’ sessions, investigating complaints and responding to
questions regarding data privacy, conducting sample reviews regarding staff and third-party access,
and checking logs.

Whatever your decision with regards appointing a DPO, it is an important function within your
company and needs to be treated accordingly.