At a glance

  • The GDPR makes it a requirement that organisations appoint a data protection officer (DPO) in some circumstances.
  • The GDPR also contains provisions about the tasks a DPO should carry out and the duties of the employer in respect of the DPO.

In brief

When does a Data Protection Officer need to be appointed under the GDPR?

Under the GDPR, you must appoint a DPO if you:

  • are a public authority (except for courts acting in their judicial capacity);
  • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size.

Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.

What are the tasks of the DPO?

The DPO’s minimum tasks are defined in Article 39:

  • To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

What does the GDPR say about employer duties?

You must ensure that:

  • The DPO reports to the highest management level of your organisation – ie board level.
  • The DPO operates independently and is not dismissed or penalised for performing their task.
  • Adequate resources are provided to enable DPOs to meet their GDPR obligations.

Can we allocate the role of DPO to an existing employee?

Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.

You can also contract out the role of DPO externally.

Does the data protection officer need specific qualifications?

The GDPR does not specify the precise credentials a data protection officer is expected to have.

It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.

In more detail – Article 29

The Article 29 Working Party includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

The Article 29 Working Party has published guidelines on DPOs and FAQs on DPOs.