It’s very important to understand the difference between a Data Protection Officer and all other titles such as Data Privacy Officer, compliance officer, GDPR compliance officer, and for one reason : only the Data Protection Officer (DPO) is regulated by the GDPR. In practical terms this means, the DPO has specific tasks he needs to conduct, specific position and specific protection in regard to his liability.
And that’s not the case with all the other titles.
In an organization, someone might be responsible for GDPR compliance without being a DPO, and provided the organization doesn’t have to designate a DPO, that’s perfectly fine. The Data Protection Officer, however, is appointed through a procedure outlined in the GDPR, which involves distinct responsibilities such as monitoring adherence to the regulation, providing advice on data protection impact assessments, and overseeing their execution.
So in order to determine if your organization needs to appoint a DPO, or if it would be beneficial, let’s look at the cases where a DPO is mandatory.
Is a GDPR DPO Mandatory?
Organizations are required to ensure compliance with the GDPR, and for sure, this necessitates having at least one person responsible for this task (a “lead” or “mission officer” for the GDPR).
Yet, the appointment of a GDPR DPO is mandatory only in three scenarios (Art. 37):
- If the organization is a public authority or body;
- If the organization conducts large-scale, systematic monitoring of individuals;
- If the organization’s core activities involve large-scale processing of sensitive GDPR data (Art. 9 and 10), such as health data.
Outside of these cases, appointing a DPO remains optional.
Is It Advisable to Appoint a DPO?
It is absolutely essential to have someone within the organization who is trained, and whose mission is to ensures the obligations imposed by the GDPR are being met.
The DPO can partially play this role, or it can also be a person who has undergone GDPR training to ensure that the organization complies with data protection regulations.
In cases where the desgination of a DPO is mandatory the situation is simple : the organization will have to appoint a DPO. However do not expect the DPO to handle the GDPR compliance of the organization, that’s not his role at all! Yes, this adds to the confusion of the reality of the role of the DPO, but there’s a fundamental segmentation of responsibilities : the DPO is not the controller, and he is independant from him. Therefore it’s not his role to ensure the compliance of the organization, that’s the controller role! Do not confuse that. Let’s look at article 38.7:
Art. 38.3 The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalized by the controller or the processor for performing his tasks.
The role of the controller is defined in article 4 :
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Therefore, the controller has to handle its own GDPR compliance, independently from the DPO, as he will be the one liable for it.
An easy way to understand the position of the DPO is to see him as an employee of the national control authority, but paid by the controller. The DPO is independent from the controller, gives feedback about the level of compliance, does not organizes the overall GDPR compliance of the organization, but helps reviewing the work and provides independant opinion in that regard.
Beyond the 3 cases where the organization has to appoint a DPO, it’s designation through the procedure outlined in the GDPR is to the choice of the controller. Can it be beneficial ? Sure. In particular in very large organizations (fortune 500, CAC40…) where a legal team is in charge of compliance, and the DPO will offer indenpendant assessement of the work and quality control.
Two important requirements for the DPO
If the organization decides to appoint a DPO, two important requirements will need to be met (Art. 37.5), specifically:
- Knowledge of data protection law and practices
- Ability to fulfill their responsibilities
Fortunately a full DPO training is already included in Legiscope so there are no additional costs for organizations that choose our software ; our training has been delivered to a significant number of DPO of CAC40 companies and is very highly rated.
How is the GDPR DPO Appointed?
If an organization wishes to appoint a DPO in accordance with GDPR requirements, it must designate this individual directly to the national supervisory authority - in France, for example, the CNIL, who has an online procedure.
Alternatively, if an organization simply wants someone to handle these matters without formal DPO designation, no procedure is required beyond ensuring that their responsibilities are included in the job description of the employee or in the service contract with the chosen provider.
Can the DPO be an External Party, or Must They Be Internal?
The DPO can be either an internal employee or an external service provider. Article 37.6 of the GDPR specifically allows for this:
- The data protection officer may be a staff member of the data controller or processor, or fulfill their tasks on the basis of a service contract.
Témoignages
"Legiscope nous permet d'économiser plus de 500 heures de travail de conformité par an ! C'est plus de 3 mois temps plein !"
— Sylvain GraveronArticle 28 of the GDPR: Obligations, Enforcement, and Compliance Strategies
How to Conduct the Triple Test to Assess the Legitimate Interests of the Data Controller (GDPR)
A step by step guide to e-commerce compliance under the GDPR
GDPR and AML, what can go wrong ?
What is the Principle of Accountability?
GDPR Information notices, a few things you need to know
Article 28 of the GDPR: Obligations Imposed on Processors
Tasks of the data protection officer
The Purposes of Processing under the GDPR
What is GDPR ?
How to Create a GDPR Compliant Questionnaire (Surveys, Satisfaction Inquiries, etc.)
The Principle of Data Minimization in the GDPR
Does the GDPR Apply to Non-EU Organizations?
Tutorial: how to get a valid GDPR consent
Does GDPR Apply to Companies Outside of the European Union?