What does a Data Protection Officer (DPO) do?
A data protection officer (DPO) is a natural person who is responsible for monitoring the data protection strategy of a company in accordance with the GDPR. In addition, the DPO is the contact person for data subjects, employees, or even the working’ council. The training of employees regarding data protection compliance is also one of the tasks. To master monitoring of all data protection regulations, the role of the DPO requires a high level of expertise of any data protection laws and practices. A DPO is not subject to directives in order to ensure that data protection is fully monitored.
However, DPOs do not have the authority to give directives. When advising on data protection, they make recommendations which are implemented – or not – by management at its own discretion.
Detailed list of the tasks of a DPO
- Data protection officers are more or less the field office of the supervisory authority and monitor compliance with data protection measures in the company. Effective monitoring also includes unannounced on-site inspections.
- Creation of guidelines
- Internal regulations, company agreements or general data protection guidelines: These documents are created with the advice of a DPO.
- Drawing up the list of processing activities
- A data protection officer provides support with their expertise when drawing up a processing activity directory. The audit also falls under the tasks of a data protection officer. The creation itself is the responsibility of the controller.
- Investigate data protection incidents
- Here it is important to note that the data protection officer has “only” an advisory function and does not bear the complete responsibility of implementing all data protection requirements alone
- Investigate Data Transfer Impact Assessments (TIA)
- Data protection officers also provide support in the form of advice in the case of a Transfer Impact Agreement (TIA).
- Employee training
- It is not the training itself that is the responsibility of the DPO, but the proper implementation of it.
- Advising the works council
- It is important here that the data protection officer does not come into conflict of interest – this would be the case if the DPO were also the managing director of a company.
How to become a data protection officer?
To be appointed as a data protection officer, you must have IT and legal knowledge and demonstrable expertise in data protection law. Business management skills and reliability also characterize the image of a DPO.
The required level of expertise of a DPO depends on the scope of the company’s data processing.
A degree in law often helps to gain a professional foothold as a data protection officer. There is no classic training or course of study to become a DPO. Individual training is therefore essential.