The General Data Protection Regulation (GDPR) is the data privacy and security North Star (and for good reason). Since its adoption in 2016, it's been revered for its strong protection of EU citizens–along with its compliance requirements and heavy penalties for noncompliance.
And, in 2019, the compliance list got even longer, as GDPR mandated the appointment of a Data Protection Officer for eligible organizations.
In this article, we unpack everything you need to know about this important position and what it indicates about increasing GDPR compliance risks.
What is a GDPR Data Protection Officer (DPO)?
Capturing and storing personal data of European Data Subjects is no easy feat–it requires accountability, integrity, and responsibility to abide by strict legislative rules. That’s where a DPO comes in.
A DPO is in charge of advising and monitoring an organization’s GDPR compliance and managing relationships with supervising authorities. Article 37 requires that the DPO have “expert knowledge of data protection law and practices” to fulfill the role. With technology constantly evolving and changing, it’s up to the DPO to stay on top of tech and GDPR news, capturing a full view of the security and data privacy landscape.
What does the GDPR DPO role entail?
The GDPR DPO, like the legislation itself, has strict obligations. In establishing the position, Article 38 says that “the controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.” The DPO must report to the highest level of management of a controller or processor and cannot receive any task instructions from their organization’s employees.
According to GDPR Article 39, a DPO’s responsibilities include, but are not limited to:
- Conducting regular audits and assessments to monitor GDPR compliance
- Training staff on GDPR compliance requirements, processing operations, and related audits.
- Serving as the contact point between the organization and the supervisory authority
- Communicating with EU citizens (known as Data Subjects) about how their personal data is being used and data protection measures enacted by the company
- Making sure that Data Subjects requests are fulfilled, such as requests to see copies of their personal data or having data completely erased
At its core, a DPO is fiercely independent. The role relies on expert knowledge of data protection law and practice to deliver timely, quality outcomes, while insulating from the majority of the organization. Therefore, it’s critical that organizations do their homework in selecting the right candidate, or risk heavy fines and reputational damage.
Does my company need a DPO?
Appointing a DPO is an important milestone in your company, spotlighting your commitment to GDPR and data protection. But, it’s not a necessity for all organizations. Under GDPR Article 37, a DPO is required only if you meet the following criteria:
- Your organization is a public authority or body conducting data processing, with the exception of courts and independent judicial authorities
- Your organization’s core activities include processing large amounts of EU residents’ personal data.
- Your organization’s core activities include conducting regular, systematic monitoring of EU residents.
While it may come as a surprise, a company’s size doesn’t dictate its obligation to appoint a DPO. So long as your company’s core activities align with the criteria above, your company is on the hook for appointing a DPO.
What happens if you fail to appoint a DPO?
If your organization is required to appoint a DPO and you don’t comply, it could have significant financial and reputational impact. Companies can be fined as much as 10 million euros or 2% of the company’s global turnover, whichever is higher.
How Own Supports GDPR Compliance
Having a DPO isn’t a must-have for every company, but its addition to the GDPR compliance checklist will likely get you thinking about what else you might be missing. With compliance regulations constantly evolving, it’s an excellent opportunity to review and assess your GDPR initiatives–starting with your third-party SaaS data protection solutions.
Whoever is responsible for your GDPR compliance–be it a DPO or designated team–should have the ability to check more than just the necessary compliance boxes; they should have the capability to make the processes (related to keeping data GDPR compliance) easier, too. With Own, you can trust that GDPR regulations and your unique SaaS data needs are being streamlined across all products in all environments: Recover, Archive, Sandbox Seeding, and Secure.
Submit your details to start your free 14-day trial of Recover for Salesforce