In 2018 GDPR (General Data Protection Regulation) came into effect, which is the most comprehensive regulation for personal data rights in EU (European Union). One of the controversial issues born from this regulation is when an organization needs a data protection officer and what are the duties and responsibilities of that person. In this article benefits of a DPO and ways of hiring one will be discussed besides previous questions.
What is a DPO (Data Protection Officer)?
The organization faces with difficulties, whether you are a data controller or a processor when it comes to personal data rights and compliance with GDPR. At that point, data protection officers take the wheel of these compliance processes as independent agents for the company. Their roles are really similar to a traffic police. They watch the data traffic like vehicles and ensure that it moves smoothly and appropriate to the relevant regulations. (1) (2)
Do you need to have a DPO in your organization?
Actually, this question can be answered under two separate headlines, which are mandatory and non-mandatory DPO’s. Article 37 of GDPR designates the compulsory circumstances for appointing a DPO. If the organization is a public authority or body (except for courts, which are acting in their judicial capacity) or its core activities require large-scale, regular, and systematic monitoring of an individual or it consists of large-scale processing of special categories of data or data relating to criminal convictions and offences (3), that organization must appoint a DPO under GDPR. On the other hand, if you are a community doctor or a lawyer, who works in a small law firm and process personal data, you do not need to appoint a DPO. It is non-mandatory. (4)
Roles and Responsibilities of DPO
GDPR defines and regulates the roles and responsibilities of a DPO. Some of the requirements can be listed like this:
Roles (Article 39) (5)
To make sure that the controller or processor is compliant with the relevant regulations, when protection of personal data is considered. (GDPR, Union or Member State data protection provisions)
Providing advice about data protection impact assessment and monitor its performance pursuant to Article 35
Informing data processor or controller about their obligations according to the relevant provisions.
Responsibilities (Article 38) (6)
A data protection officer acts independently and does not get any instructions for his/her tasks.
The officer shall be bound by confidentiality
The data controller and processor need to be aware that the officer is involved in all operations, which include the protection of personal data
What are the benefits of hiring one?
Although there is a separation between organizations, when we consider appointing a DPO as a must (mandatory) or not (non-mandatory), a DPO can benefit every organization in certain circumstances. It is a known fact that not complying with the regulations of GDPR when collecting or processing personal data can cost thousands of euros to that organization. Besides, these regulations include detailed provisions, which are more reliable to be analyzed by an expert. Therefore, appointing a data protection officer can both save money and reduce the administrative workload on employees in the organization. (7)
(5) GDPR, Article 39
(6) GDPR, Article 38
Av. M. Murat Gülgün
Av. N. Sena Sevindi
Stj. Av. İlayda Yüncü
Stj. Av. Berhan Sarılar