Data protection officer (DPO) is a key person on the company’s way to GDPR compliance. The main role of DPO is to ensure that your company processes personal data in compliance with the GDPR, other applicable data protection rules and also performance of other privacy-related issues in the company. DPO may be a part of the company’s staff or perform its tasks on the external basis.
In this article we will focus on the role and everyday workflow of the external DPO.
First of all, let’s identify whether your company needs DPO. GDPR in Article 37(1) outlines specific cases when the designation of DPO is obligatory:
- in case the processing is carried out by a public authority or body;
- in case the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or
- in case the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
But what if your company does not fall within the above criteria – so, there is no need to engage DPO? The answer is simple – designation of DPO is always a good idea as it shows your clients and potential counterparties that you value their personal data and privacy in general.
Role of DPO
The next step is to establish who exactly can act as an external DPO. GDPR requires DPO to possess specific professional qualities and expert knowledge of data protection law and practices.
DPO has to be involved in all issues which relate to the protection of personal data in the company. Controller and processor shall support DPO in performing his/her tasks but at the same time DPO may not receive any instructions regarding the exercise of those tasks.
Workflow of External DPO
And the most important issue – what tasks will DPO perform within your company? GDPR sets the key obligations of the DPO in Article 39. Such main tasks constitute the basic workflow of the external DPO.
Team. Learning. Awareness
DPO closely interacts with the team members to insure sufficient level of privacy awareness by them. DPO will help your team to get to know all the key matters relating to privacy and advise the team on all related issues. With this purpose DPO may conduct awareness-raising trainings of staff involved in processing operations.
It is important to understand that the high achievements of every involved employee confirm the compliance with the GDPR of the team as a whole.
Scheduled review of privacy documents
One of the DPO’s functions is to monitor compliance with the GDPR as well as other data protection regulations. So, DPO schedules the regular reviews of the company’s privacy-related documents and provides the relevant updates to them with the purpose to bring such documents in line with the changes of business processes and applicable laws.
DPIA for new processes/products
DPO advices on the necessity to conduct Data Protection Impact Assessment (DPIA) and monitors the performance of the DPIA by the employees of the company.
Interaction with the users (answers on requests)
DPO acts as the contact point for the data subjects and its responsibilities include handling data subject requests. Therefore, such individuals may contact DPO with regard to all issues related to processing of their personal data by the company and to the exercise of their rights under the GDPR.
Interaction with clients (answers on privacy-related issues)
DPO supports the sales department of the company during the negotiations with clients. DPO may assist the marketing team with the purpose to inform the company’s clients on the company’s privacy protection policies.
Cooperation with the supervisory authority
DPO communicates with the supervisory authority on issues relating to processing personal data and also drafts the answers to its requests. DPO consults on different matters relating to interaction with the supervisory authority, including the necessity to report data breaches.
Advice on other privacy-related issues
The list of DPO’s tasks described above is inexhaustible. DPO may advice on other privacy-related issues in the company and may perform other related functions.
All in all, external DPO is a very useful position on your way to GDPR compliance. Whether you are obliged to assign DPO under the Regulation or just willing to maintain your company as a safe space for personal data – DPO is at your service.
If this article has caught your interest, you may contact us to know more about how our external DPO services may help your case. Our privacy experts will be glad to help your company become GDPR compliant on a continuous basis 😊