Data Protection Officers roles were revised by GDPR and the member state implementations. Here is a reminder for those that need it.
Article 37 states that a processor or controller requires a DPO if it is a public authority, if it requires regular sys systematic monitoring of data subjects on a large scale or if it processes special data.
A DPO may work for multiple companies, but Article 38 requires the DPO to be adequately resourced and supported.
The DPO must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks specified in the GDPR Article 39.
Article 38 states that the DPO must be involved in in all issues which relate to the protection of personal data, be properly resourced to perform their duties and to maintain their professional expertise, not receive instructions on the conduct of their duties, not be dismissed for doing their job, and report to the highest levels of management.
The tasks of the role are defined in Article 39, the job is to advise the highest levels of management on their obligations, to monitor compliance including the assignment of responsibilities, training and operations’ audits, to assist and monitor the data privacy impact assessments, to cooperate and act as a contact point for the supervisory body, in the UK, the ICO.
I have used the EU text as the source of my summary and is reproduced overleaf/below ...
This post was originally posted at linkedin.
