Responsibilities of a DPO (Data Protection Officer)
The role of a data protection officer is to ensure that an organisation complies with the requirements set out by the General Data Protection Regulation (GDPR). They will oversee an organisation’s data protection strategy and implementation. Their roles and responsibilities are very clearly stipulated in GDPR and in some instances, organisations are required to appoint a DPO.
Companies that do not need to hire a DPO may choose to appoint a data protection lead or data protection manager instead. These roles have very similar responsibilities but they are not set out in law in the same way.
DPO responsibilities
A DPO is responsible for handling personal data correctly and in compliance with the law, and advising the organisation on how it should do the same. Their details are recorded and made available as part of the ICO registration process. There are many skills that a person must hold to become a data protection officer.
The role of a DPO should include:
- Training organisation employees on data processing, what is expected of them under GDPR and data protection law and how they should comply.
- Carrying out regular audits and assessments to ensure that all employees comply with GDPR and report any breaches or suspected breaches.
- Providing advice and guidance in completing Data Protection Impact Assessments (DPIA). A DPIA is a mandatory process that assists organisations with identifying data processing risks and how to mitigate them, particularly where the processing is high risk.
- Being a point of contact for individuals who make any requests regarding their personal data and their rights. This may also include being a voice for people with care and support needs to make sure they are heard and listened to.
- Ensuring that due diligence is in place at all times and if there is a breach or a suspected breach, they should take a risk-based approach and notify the supervisory authority if required.
- Providing support and advice to management and other employees and assist in monitoring internal compliance. A DPO should not take instructions on how to carry out their tasks relating to data processing and should only report to the highest level of management.
- Maintaining comprehensive records of all the data processing activities carried out by the organisation. These should be made public on request.
- Supporting business operations and data handling by understanding and preparing for any data challenges while keeping up with the organisation’s growth. They must know the industry well and be able to recognise the associated risks involved in collaborating with external companies.
What are the challenges faced by DPOs?
As with any role, there are certain challenges that DPOs face. There is an increasing demand for DPOs in response to GDPR which has highlighted some obvious challenges in what has become a very data-driven economy. In a survey carried out by CPO Magazine, 471 data protection and privacy officers were asked about how they are responding to a post-GDPR world and what challenges they face. Large-scale data breaches happen far too regularly which also coincides with the public becoming increasingly more aware of their own data privacy rights. The role of a DPO is developing all the time and the tasks they are expected to complete are likely to increase. Some of the challenges Data Protection Officers face are:
- Lack of available budget and resources: DPOs being under-resourced is very common and almost half of DPOs don’t have a dedicated privacy team which can be very problematic when you consider the number of operational tasks they have to carry out such as:
- Developing systems and controls
- Reporting and monitoring
- Drafting key documents
- Staff training
- Managing Data Protection Impact Assessments
- Handling Data Subject Access Requests
- Dealing with data breaches
Having the responsibility of all of these tasks without a supportive team can be very challenging and unfortunately, it is something that many DPOs have to deal with.
- According to the survey, 27% said that their main challenge was obtaining sufficient resources and budget.
- Isolation: Even if a dedicated privacy team supports the DPO, they are still expected to work independently, and the workload can be overwhelming. A DPO must do everything from educating and training an organisation on privacy issues to interacting with local regulators and handling individual access requests. A possible solution is to ensure that a DPO can delegate and assign tasks to their team should they have one.
- Lack of budget: 76% of companies had data protection and privacy departments of only 10 or fewer employees. This is an understandable result of organisational challenges.
How to become a data protection officer
A DPO is responsible for handling personal data correctly, and in compliance with the law, and they can be appointed as an existing employee of a company or be externally sourced. However, there are certain roles within an organisation that cannot take on the role of DPO as there is a potential conflict of interest. This would include anyone with a responsibility for determining how data is used within the organisation. For example, a Marketing Director will have a vested interest in decisions about personal data and how it is used for marketing purposes. This may lead to them not being objective enough to see the full risks associated with their proposed use of data.
Whilst an official qualification is not needed to become a DPO, there are many skills required to become part of a data protection team:
- A clear understanding of data protection laws and regulatory requirements
- Experience in data protection compliance
- Experience in an audit, risk management or legal role
- Ability to work under pressure
- Good communication skills both written and verbal
- Hands-on experience in privacy assessments and information security standards certifications
- Good leadership and management skills
- Audit experience
We offer an array of training and courses for DPOs and DPLs, including this ‘Training Programme for Data Protection Officers and Leads, and a course on ‘The Role and Responsibilites of a DPO’