Accessability Links

GDPR: what is a data protection officer?

Al Brown
As companies gear up for the introduction of the GDPR at the end of May, plenty has been written about the new requirements about processing and controlling data, but what actually is a data protection officer (DPO), and what are their duties?

DPO is much more than simply a title; data protection officers are not only the point of contact between the company and the regulatory authorities, but they are also responsible for teaching employees about compliance, conducting security audits and training any staff concerned with data processing. They also need to create and maintain records of all the company’s data processing activities, including noting why these activities were undertaken (these must be made public on request). Also, if data subjects ask about how their data has been used, the DPO must inform them, as well as letting them know their rights about having personal data erased and how the company is protecting personal data.

Plainly, a DPO needs to have up-to-date knowledge of data protection practice and law, but they also need to understand the company’s IT infrastructure and be able to communicate effectively with staff and external regulators, as well as clients. Crucially, the DPO may have to be the individual who alerts the authorities about non-compliance (while knowing that the company may face massive fines for this). Achieving this as well as identifying and fixing compliance gaps without causing conflict may require an individual with patience!

Training courses are springing up online offering the fast track to becoming a data protection officer, but it’s worth considering that an effective DPO may also need experience of EU legislation surrounding privacy, as well as privacy laws in any country where their company conducts its business.

DPOs also need to understand risk – both in terms of IT security and also in the sector in which the company operates – and consider how advances in technology may affect this. However, if the DPO is also an IT security officer for the company, conflicts of interest need to be identified and resolved. 

So, a DPO needs IT experience, some legal knowledge, understanding of risk, sensitivity to different business environments in which the company operates, and strong interpersonal skills. In a large organisation, it may actually make more sense to set up a whole DPO team, allocating different responsibilities to different team members, according to their expertise.

Capita IT Resourcing has successfully helped a number of companies to hire DPOs so far. If you would like to discuss how we could assist you in your hiring, please get in touch - 0162 856 7101.

Read our related blog:
GDPR: 5 things you need to know
Add new comment

Meet the team

Back to Top