Data Protection Officer

Data protection officer or DPO for short, is a designated employee in certain companies, who is in charge of collecting and processing information about data subjects according to privacy laws and regulations.

What is a data protection officer?

The role of the data protection officer, also known as a “DPO,” is to ensure that your company complies with the GDPR. The DPO should assist with the internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the data protection authorities.

The DPO must be independent, adequately resourced, and report to the highest management level.

What are the duties of the data protection officer?

The GDPR defines the duties of the DPO as:

  • to inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws;
  • to monitor compliance with the GDPR and other data protection laws and with your data protection policies, including managing internal data protection activities; raising awareness of data protection issues, training staff, and conducting internal audits;
  • to advise on, and to monitor, data protection impact assessments;
  • to cooperate with the data protection authority; and
  • to be the first point of contact for individuals whose data is processed (employees, customers etc.).

It’s possible to assign further tasks and duties to the DPO, so long as they don’t result in a conflict of interests with the DPO’s primary tasks.

Do you need to appoint a data protection officer?

If your company is processing personal data as your core activity, the chances are that you need to designate a DPO. Your core activities are the primary business activities of your organisation. So, if you need to process personal data to achieve your key objectives, this is a core activity. This is different from processing personal data for other secondary purposes (e.g. payroll or HR information), which is not part of carrying out your primary objectives.

The DPO isn’t personally liable for data protection compliance. As the controller or processor it remains your responsibility to comply with the GDPR. Nevertheless, the DPO plays a crucial role in helping you to fulfill your organisation’s data protection obligations.

Further reading

There are many roles in regards to GDPR. Read more about the different GDPR roles and their respective responsibilities.

Learn more about Privacy Hub →