Data ProtectionOfficer (DPO): a new role introduced by the European Regulation that many controllers will have to identify and appoint.
The DPO can be either employed by the company or be an external party such as a lawyer, an engineer, or otherwise a person with appropriate skills.
The GDPR does not specify skills to take into account when choosing a Data Protection Officer, even though knowledge of the relevant legislation and the European Data Protection Regulation is essential.
They must have technical and legal skills because their appointing is based on the in-depth knowledge of the legislation, of personal data protection practices and the ability to perform the tasks entrusted to them; they must also be evaluated on the basis of their ability to process personal data using state-of-the-art technology.
These skills are essential to verify the compliance of the obligations and solutions adopted by the controller or the data processor.
They must understand the functioning of the systems that process personal data and be able to assess the adequacy of the technical and organizational security measures adopted even in case of complex situations.
The DPOs must also have organizational skills and operational capabilities to be able to both identify any deviations from what is required by law and to suggest new solutions that can improve business compliance, taking advantage of bureaucratic requirements as an opportunity for growth of data protection in the company.
From an internal point of view, they DPO often find himself in dialogue with top management, who will have to involve him or her in matters falling within his competence, and with authorized persons, who will be able to consult him or her in the event of any doubts regarding the application of the Regulation or for training and awareness-raising initiatives.
From an external point of view, the DPO may come into contact with data subjects who need information on the processing or the exercise of their rights or with the supervisory authority with which it cooperates, for example, during inspections, notification of a personal data breach or prior consultation when necessary.
His ability to make himself understood by activating a communicative strategy within the company, which is functional to establishing a relationship of collaboration with his collaborators, is also fundamental.
In addition to communicating, it must be able to listen carefully and willingly, providing the necessary clarifications and making it easier to identify appropriate solutions that gradually lead the company towards appropriate improvements.
As recital 97 states, “should be in a position to perform their duties and tasks in an independent manner”.
In this case, to be ethical means to maintain, even in complex situations, an impartial attitude, which is a necessary characteristic to play guarantee roles like this one.
On some occasions, it may happen that an activity carried out on processing operations does not comply with what is required by the law. In this case, it is the duty of the DPO to point this out, even if it is likely to come into conflict with the person who has designated it.
In addition to technical, legal and interpersonal skills, it will be important for the DPO to maintain a sense of responsibility and a strong sense of consideration for its task, which is exclusively aimed at protecting the right to data protection and increasing the guarantees for the data subjects.
In particular, the DPO shall not:
Article 38 (2) of the GDPR also requires the controller or the processor to provide the DPO with the “resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge”.
These resources must be of an economic and temporal nature in order to carry out the tasks in an appropriate manner.
To become a DPO you do not need a specific certification, but you must demonstrate your knowledge of the legislation and previous experience on issues closely related to the protection of personal data.
It is the responsibility of the Controller to demonstrate that they have chosen a suitable person to fulfill the role, taking into account their qualifications, previous experience and courses attended.
In addition to an adequate knowledge of the methods of processing with computer systems, including the aspects of cybersecurity, it is also important that the DPO has in-depth knowledge of the business field in which the organization operates.
According to Article 37 of the GDPR, the appointment of a DPO is mandatory in three specific cases:
To add a Data Protection Officer, simply go to the DPO section of an organization and click the (+) button.
In case they are not present, in this section you can enter the reasons that led the organization to the decision not to proceed with their appointment.
The DPO can be either a company or a natural person, and it is sufficient to fill in the personal data and save it. You can also specify if the DPO is internal or external and, in the last case, you can enter all the information of the company for which the DPO works.
In both cases, you can add the service contract by clicking on the Attach button, through which you can upload any type of document.