The main tasks of the DPO are:
- independent supervision of a organisation’s compliance with the GDPR
- advising on how best to address the compliance obligations, and
- overseeing staff dealing with personal data.
DPOs do not have to be lawyers but need to be suitably qualified, with expert knowledge of data protection law and practices. From a practical perspective, DPOs must have a good understanding of the organisation’s data processing arrangements, be familiar with its information and technology infrastructure and be prepared to respond to requests from individuals who want to exercise their rights about the processing of their personal data.
The requirement to appoint a DPO might look like a burden at first glance but it can also bring benefits to the business. Centralising data protection can reduce bureaucracy and be an efficient way to ensure compliance with the data protection requirements. This is especially true when it comes to sophisticated data processing activities and cross-border data flows within a large organisation or group of companies. Experience has shown that designating a DPO can provide a suitable method of corporate self-governance. Effective compliance management by the DPO will reduce interventions by the authorities and can help prevent costly disputes.
In addition to appointing a DPO, data controllers and processors are required to provide the DPO with all the required resources to fulfil their obligations. A number of tools could help the DPO discharge his or her responsibilities and help the controller or its processors "demonstrate" compliance with the principles relating to the processing of personal data?
To understand how tools can help the DPO, look at what are the main responsibilities of the DPO:
- perform his or her tasks having due regard to the risk associated with processing operations
- provide independent supervision of an organisation’s compliance with the GDPR
- inform and advise the controller or the processor and the employees who carry out processing of their GDPR obligations
- monitor compliance with the GDPR, policies of the controller or processor in relation to the protection of personal data, including performance of assigned responsibilities, and the related audits
- provide advice where requested by the controller or processor regarding the data protection impact assessment and monitor the responses of the data controller, including the reviews carried out by the controller to assess if processing is performed in accordance with the data protection impact assessment
- act as the contact point for the supervisory authority on issues relating to processing, including when prior consultation is required.
With such responsibilities, tools can assist the DPO with:
- inventorise information assets
- maintain a register of legal and contractual data processing obligations
- collect information about and document the processing of personal data
- maintain a repositority of relevant data processing information
- maintain catalogues of privacy threats
- perform privacy threat and vulnerability assessments
- assign and track progress with data protection related activities
- detail preferred data processing practices for specific business units
- maintain catalogues of data processing safeguards
- identify safeguards and monitor effectiveness
- monitor sensitive business practices
- receive alerts of vulnerabilities and interferences with data subjects' rights
- record and process information requests and handle complaints
- measure conformance and performance
- track responses to instances of non-conformance.