DATA PROTECTION OFFICER (DPO) JOB DESCRIPTION
JOB CONTEXT
The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities.
DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority. The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level. A DPO can be an existing employee or externally appointed. In some cases several organisations can appoint a single DPO between them. DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.
Under the GDPR, you must appoint a DPO if:
Item a) you are a public authority (except for courts acting in their judicial capacity)
Item b) your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking) or
Item c) your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. You can appoint a DPO if you wish, even if you arent required to. If you decide to voluntarily appoint a DPO you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.
Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR. However, a DPO can help you operate within the law by advising and helping to monitor compliance. In this way, a DPO can be seen to play a key role in your organisations data protection governance structure and to help improve accountability.
If you decide that you don not need to appoint a DPO, either voluntarily or because you dont meet the above criteria, it is a good idea to record this decision to help demonstrate compliance with the accountability principle.
JOB DESCRIPTION
POSITION OF THE DPO
The DPO reports directly to the highest level of management and is given the required independence to perform their tasks.
The DPO is involved, in a timely manner, in all issues relating to the protection of personal data.
The DPO will ensure that any other tasks or duties that are assigned do not result in a conflict of interests with their role as a DPO.
TASKS OF THE DPO
The DPO is tasked with monitoring compliance with the GDPR and other data protection laws, our data protection policies, awareness-raising, training, and audits.
We will take account of our DPOs advice and the information they provide on our data protection obligations including
Item a) to inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws
Item b) to monitor compliance with the GDPR and other data protection laws, and with your data protection polices, including managing internal data protection activities raising awareness of data protection issues, training staff and conducting internal audits
Item c) to advise on, and to monitor, data protection impact assessments
Item d) to cooperate with the supervisory authority and
Item f) to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
The DPO should prioritise and focus on the more risky activities, for example where special category data is being processed, or where the potential impact on individuals could be damaging. Therefore, DPOs should provide risk-based advice to your organisation.
The DPO acts as a contact point for the ICO. They co-operate with the ICO, including during prior consultations and will consult on any other matter.
If the organisation decides not to follow the advice given by your DPO, the organisation should document your reasons to help demonstrate the organisation accountability.
