Data protection officer or DPO for short, is a designated employee in certain companies, who is in charge of collecting and processing information about data subjects according to privacy laws and regulations.
The role of the data protection officer, also known as a “DPO,” is to ensure that your company complies with the GDPR. The DPO should assist with the internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the data protection authorities.
The DPO must be independent, adequately resourced, and report to the highest management level.
The GDPR defines the duties of the DPO as:
It’s possible to assign further tasks and duties to the DPO, so long as they don’t result in a conflict of interests with the DPO’s primary tasks.
If your company is processing personal data as your core activity, the chances are that you need to designate a DPO. Your core activities are the primary business activities of your organisation. So, if you need to process personal data to achieve your key objectives, this is a core activity. This is different from processing personal data for other secondary purposes (e.g. payroll or HR information), which is not part of carrying out your primary objectives.
The DPO isn’t personally liable for data protection compliance. As the controller or processor it remains your responsibility to comply with the GDPR. Nevertheless, the DPO plays a crucial role in helping you to fulfill your organisation’s data protection obligations.
There are many roles in regards to GDPR. Read more about the different GDPR roles and their respective responsibilities.
Join our free bi-weekly newsletter focused on news and updates from the legal landscape of data privacy.