In this video, Mandy Huth explores the role of the data protection office under GDPR. Learn what the DPO role requires, its assurance of independence, and the related tasks.
- [Instructor] An organization's ability to conform to the GDPR lies heavily with the role of the Data Protection Officer or DPO. Understanding what a DPO is is critical to identifying the right person for the role. Who needs a Data Protection Officer? The regulation states that any controller or processor who requires regular and systematic monitoring of data subjects on a large scale, needs a DPO. A DPO's primary role is not always a singular role in that it's not that person's only job.
Most often, it depends on the size of the organization. Of important note is that the Data Protection Officer must report to the highest management level, and that usually means reporting in to the C-Suite. When we talk about the appointment of a Data Protection Officer, we have to look at their particular knowledge of data protection, but more importantly, their ability to fulfill duties. The DPO may be employed or contracted, but the DPO cannot be a temporary position.
It's also often a good fit when that person has a strong understanding of the organization. GDPR rules ensure that the DPO is an independent position. What that means is the DPO can't be swayed by business interest. The Data Protection Officer can request support as needed to ensure fulfillment of their duties. In order to avoid conflict of interest, the DPO is not allowed to be the controller, too. The minimum tenure of the Data Protection Officer is two years.
That can be renewed for a maximum of five terms or up to ten years. Most often, the average tenure is two to five years. Important to note here, is that the DPO cannot be dismissed unless they are not fulfilling their duties, and only with consent of the governing authority. Let's take a look at the six tasks that a Data Protection Officer is responsible for. First, they must inform data subjects about their rights, and raise awareness of the regulation.
They must also advise their institution about the application of the GDPR rules. Thirdly, they must do prior checks of risks, and have a list of operations that the organization will undertake. Next, they must help the institution be accountable to the governing agency. The Data Protection Officer must also answer any questions, and handle complaints. Finally, in the case of an investigation, the Data Protection Officer must help with the cooperation between their organization and the governing agency.
As we can see, the Data Protection Officer role is embedded in an organization's ability to maintain compliance with GDPR.
DISCLAIMER: Neither LinkedIn nor the instructor represents you, and they are not giving legal advice. The information conveyed through this course is not intended to give legal advice, but instead to communicate information to help viewers understand the basics of the topic presented. Certain concepts may not apply in all countries. The views (and legal interpretations) presented in this course do not necessarily represent the views of LinkedIn or Lynda.com.
- Compliance deadlines and penalties
- Data controllers and data processors under GDPR
- Exploring the role of the data protection office
- Technical measures outlined in the GDPR
- Reviewing the right to be forgotten and the situations that allow erasure
- Rules for children under the age of 16
- Breach notification