The General Regulation on Data Protection entered into force with mandatory character in the European Union on May 25 and there are still some doubts regarding its scope of action. One of the most debated issues has been related to the DPO – Data Protection Officer – a figure that comes with the creation of this new legislation. In today’s article, we will address all issues related to the DPO, the new profession created by the GDPR!
Who is the DPO?
This figure plays an essential role in the transition period from the old law to the new legislation. The person responsible for data protection should ensure that everything is perfectly legal at the date of entry into force of the GDPR. This function is assigned whenever the data processing takes place in a public entity; whenever there is constant monitoring of people on a large scale and whenever there is large-scale sensitive data processing. This professional should train his team, perform audits and be the point of contact with data protection authorities.
When is the appointment of a DPO mandatory?
The new regulation requires that a DPO be designated if one of these cases occurs:
- The processing of data is carried out by a public entity (except courts that act in their judicial capacity);
- The core activities of the company consist of regular and systematic monitoring of personal data of subjects on a large scale;
- The core activities of the company are the large-scale processing of data related to criminal activity / complaints / offenses / etc provided for in articles 9 and 10.
The DPO can perform part-time or full-time duties and may be an internal employee of the company or hired externally. Must be a professional with relevant training for the area and is the person responsible for all matters relating to personal data in the company.
Main functions of a DPO
- Define a strategic action plan for the implementation and ongoing evaluation of the RGPD. All areas of the company should be involved and this plan should include the identification, evaluation and categorization of private data that the company has stored.
- Adapt or create processes for data to be protected. The methodology to be used should be privacy by design, to facilitate the monitoring of communication of events related to personal data.
- Implement processes to detect, report and solve problems of violation of personal data, always keeping in mind the issue of security. In this case, it is advisable to use recovery as a service services.
Download our e-book on the new GDPR and stay on top of everything you have to know to get the new law accordingly!