The role of the Data Protection Officer

There is a lot to be said on this topic and the below article is just a snap shot:

The appointment of a DPO is mandatory for the following organisations:

  • Public authorities or bodies (excluding courts whose processing relates to their judicial operations).
  • Organisations whose core activities involve regular, systematic and large-scale monitoring of data subjects.
  • Organisations whose core activities consist of the large-scale processing of special categories of data or data relating to criminal convictions and offences.

As stated in the guidance (paragraph 2.5, WP29 Guidance). The DPO should be appointed on the basis of their professional qualities and expert knowledge of data protection law and practices. The required level of experience should be commensurate with the sensitivity, complexity and amount of data an organisation processes. This is consistent with the GDPR, which explains:

“The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.” (Recital 97.)

A case-by-case analysis of the role’s requirements specific to the organisation making the appointment is needed. However, the WP29 Guidance recommends certain qualities and expertise that form a baseline that all appointed DPOs should meet:

  • Expertise in national and European data protection laws and practices, including an in-depth understanding of the GDPR.
  • Understanding of the processing operations carried out.
  • Understanding of information technologies and data security.
  • Knowledge of the business sector and the organisation.
  • Ability to promote a data protection culture within the organisation.
  • Personal qualities including integrity and high professional ethics.

When developing a profile for the DPO, also consider the organisational dynamics. These will include whether any conflicts of interest prevent the DPO from operating with independence, whether it is supported adequately, both in terms of access to senior management and key employees, and in the resources afforded to the DPO.

21 Law in collaboration with Camilleri Preziosi Advocates, Fenech and Fenech Advocates and Mamo TCV Advocates are organising a course for DPO’s. This course has limited places as the aim is for participants to have a thorough understanding of the law and their role. For more information please click on the banner below.