GDPR Data Protection Officer Roles and Responsibilities
A GDPR Data Protection Officer has five primary tasks according to the General Data Protection Regulation. They are spelled out in detail in Article 39. Generally, the tasks relate to providing advice, monitoring compliance, and cooperating with the supervisory authority.
Advice
The primary responsibility of the DPO is to inform and advise the organization about their obligations under the GDPR. They are required to provide information to both the controller/processor who hired them as well as their employees carrying out processing. The information to be provided relates to both the General Data Protection Regulation as well as any other Member State data protection provisions.
Because of the breadth of GDPR, the data protection officer may be called on to provide advice on a range of subjects. For example, Article 38 requires the organization to ensure the DPO is involved in all issues relating to the protection of personal data. Organizations should involve their DPO in everything: privacy by design to data protection impact assessments to acquiring consent to documentation. If it implicates data privacy, GDPR or other data protection laws, the DPO should be consulted and is expected to way in on matters.
Monitor Compliance
A GDPR Data Protection Officer is also required to monitor compliance with the GDPR and the policies of the organization with respect to protecting personal data. This applies broadly to tasking the DPO with everything from training staff to conducting audits to ensure compliance. The DPO should be involved in making sure that the policies that were established are followed and the privacy of data subjects personal data in the hands of the company actually protected.
Although it is not explicitly mentioned, this task would also ensure maintaining and checking the documentation required by Article 30. Since accountability is a key principle of the GDPR and the core of the record-keeping requirement, it would be hard for the DPO to avoid checking these electronic and printed materials as a function of monitoring compliance.
Data Protection Impact Assessments
Article 35 requires a controller to seek the advice of the designated data protection officer when carrying out a data protection impact assessment. Article 39 mandates that the DPO provide advice regarding the DPIA and monitor its performance. Data Protection Impact Assessments are an important aspect of limiting the privacy risks of business processes which are likely to result in a high risk to the rights and freedoms of natural persons.
Cooperation & Point of Contact
The DPO is required to cooperate with the supervisory authority and serve as the point of contact, including during Article 36 prior consultations and any other matter. We have combined these two tasks for simplicity, although they are separated in Article 39. It isn’t particularly clear in the text of the GDPR if there is a reason to separate both of them other than to emphasize that they are both obligations of the GDPR DPO.
Article 36 requires a controller to have a prior consultation with the supervisory authority if there are residual high risks even after a DPIA is conducted and the organization attempts to mitigate the privacy risks. The name of the organization’s DPO is given to the supervisory authority as part of the Article 36 process and the DPO is required to act as the point of contact for the consultation as well as any other issues arising.
Other Tasks
Although it is not mentioned in Article 39, Article 38 specifically identifies the data protection officer as the point of contact for data subjects with regard to all issues related to the processing of their personal data and the exercise of their rights. Article 13 also requires the contact details of the data protection officer be provided to data subjects when their personal data is collected.
The GDPR also says that an organization can specify additional tasks and duties to the data protection officer so long as they don’t interfere with the DPO’s primary tasks. The DPO isn’t to be given tasks that ask him or her to manage competing objectives that could involve putting business interests ahead of data protection.
Improve Data Privacy for GDPR or CCPA with Clarip
The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.
Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Related Content
Data Protection Officer Legal Requirement Under GDPR
Outsourced DPO as a Service
GDPR Representative Requirement in Article 27