A DPO is an individual appointed by an organisation to assist them with data protection compliance. A DPO should be an expert on data protection.
A DPO must be allowed to function independently, meaning that they can carry out their data protection compliance tasks without fear of dismissal or other detriments as a result of, for example, them bringing any compliance issues to light.
Appointing a DPO does not shift ultimate responsibility for data protection compliance onto the DPO. The DPO helps an organisation to achieve compliance, but responsibility still ultimately lies with the data controller (ie the party that decides on the purposes for and means of processing - eg storing and collecting - personal data, like names and addresses) or the data processor (ie the party carrying out the instructions of the data controller in relation to the processing of personal data).
What does a DPO do?
A DPO’s role can cover a range of tasks related to an organisation’s data processing activities. These include helping to:
-
monitor compliance with internal policies and data protection laws (eg by assessing how an organisation processes and securely stores personal data and by conducting audits)
-
inform and train people within the organisation about data protection laws, obligations, and practices
-
create data protection documents or carry out data protection procedures (eg Data protection impact assessments (DPIAs) or an Information security policy)
-
run communications about data protection (eg by being the first point of contact for data subjects (ie the individuals that personal data relates to) and the Information Commissioner’s Office (ICO))
A DPO can sometimes perform other tasks (ie outside of their core tasks, listed above). They cannot, however, work on anything that would introduce a conflict of interest with their core tasks. For example, a DPO could not be asked to do a marketing task that considers how to communicate with potential customers, as decisions for this would likely contain conflict between the marketing campaign’s aims and data protection compliance aims.
It’s also required that a DPO can report directly to the highest level of an organisation’s management (eg board level). They may interact more regularly with another lower manager (eg a line manager), but they must have direct access to the highest level of management (ie the people who make decisions about data processing).