As a company leader, you must be familiar with the role of Data Scientist and Data Analyst, but, have you ever heard about the role of Data Protection Officer?
What is the Data Protection Officer (DPO)?
When the organization require to follow EU General Data Protection Regulation, they must appoint the Data Protection Officer within the organization.
In the EU institutions and bodies, the applicable Data Protection Regulation (Regulation (EU) 2018/1725) obliges them each to appoint a DPO. Regulation (EU) 2016/679, which obliges some organisations in EU countries to appoint a DPO, will be applicable as of 25 May 2018. (https://edps.europa.eu/data-protection/data-protection/reference-library/data-protection-officer-dpo_en)
The Data Protection Officer is the role within the organization that ensure the organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules (https://edps.europa.eu).
Position within the organization
The DPO is an integral part of an organization and should be work independently to ensure the compliance with the regulation. It is a unique role since the DPO should be collaborate with all of the division within the organization since the data processing possible to happened in all of the departments.
The leader in an organization must involving the DPO in every project meeting since the task of DPO is to ensure the process is not violating the regulation in term of personal data processing.
In term on the independency, there are a number of assurances guaranteeing it based on EU Institutions and body (https://edps.europa.eu/)
- The applicable rules for EU institutions and bodies expressly provide that the DPO shall not receive any instructions regarding the performance of her duties;
- There must not be a conflict of interest between the duties of the individual as a DPO and her other duties, if any. To avoid conflict, it is recommended that:
a. a DPO should not also be a controller of processing activities (for example if she is head of Human resources)
b. the DPO should not be an employee on a short or fixed term contract
c. a DPO should not report to a direct superior (rather than top management)
d. a DPO should have responsibility for managing her own budget.
- The organisation must offer staff and resources to support the DPO to carry out her duties. In this respect, DPOs in EU institutions and bodies can be seconded by an assistant or deputy DPO, and can rely on data protection coordinators (DPCs) in each section of the organisation. Access to resources also includes training facilities.
- The DPO should have the authority to investigate. In EU institutions and bodies, for instance, DPOs have immediate access to all personal data and data processing operations; those in charge are also required to provide information in reply to her questions.
- A minimum term of appointment and strict conditions for dismissal must be set out by the organisation for a DPO post. In the EU institutions and bodies, the DPO is appointed for a period between three and five years, may be reappointed and can be dismissed only with the consent of the EDPS.
In Articles 38 and 39, the GDPR assigns six major tasks to the DPO:
- To receive comments and questions from data subjects related to the processing of their personal data and the GDPR.
- To inform an organization and its employees of their obligations under the GDPR and any other applicable EU member state data protection provisions.
- To monitor an organization’s compliance with the GDPR and any other applicable EU member state data protection provisions, train staff on compliance, and perform audits.
- To perform data protection impact assessments (Article 35).
- To cooperate with the data protection supervisory authority.
- To act as the focal point for the data protection supervisory authority on matters relating to the processing of personal data and other matters, where appropriate.
Hire a DPO
How to hire the DPO? can we use current staff as the DPO?
Before hire the DPO for your organization, you need to aware that this is the skillset of a person that will be hire as the DPO :
- Significant (over 5 years) experience working with EU and global privacy laws, including drafting of privacy policies, technology provisions, and working on compliance
- Significant experience working with IT programming or infrastructure, including certification in information security standards
- Significant experience in performing audits of information systems, attestation audits and risk assessments
- Demonstrated leadership skills achieving stated objectives coordinating with a diverse set of stakeholders and managing multiple projects at once
- Demonstrated ability to continuously coordinate with multiple parties and supervisors while maintaining independence
- Demonstrated communication skills to address different audiences, from the board of directors to data subjects, from managers to IT staff and lawyers
- Demonstrated self-starter with ability to gain required knowledge in dynamic environments and remain up-to-date on cutting-edge developments
- Demonstrated record of engaging with emerging laws and technologies
- Experience in legal and technical training and in awareness raising
- Experience in dealing successfully with different business cultures and industries
A company could hire the DPO from the current IT or legal staff as long as the company must provide a training for GDPR or some certification that related to the data privacy such as CIPP/US and CIPP/EU. Although a company hire the DPO from their internal staff, a company must let the DPO work on his/her own way independently.
It is also possible to hire the DPO from the external organization as long as the DPO does not come from the data processor. A company could hire a DPO by posting job vacancy or hire a consultant that could help a company established the data privacy protection within the organization.
IT or law background?
Here is the last challenge in recruiting the Data Protection Officer, which one is better to hire as the DPO? a person with ICT or law background?
There is no answer for that and it is the challenge of the recruitment since a company should check the experience of the DPO before hiring him/her.
A candidate with ICT background will have a strong knowledge about the data processing flow and the threat in the process since they are familiar with the ICT terms. However, there is a weakness on understanding a compliance on a certain industry such as health or financial.
A candidate with law background will have a comprehensive understanding about the digital law and the candidate could adapt with a spesific industry. However, there will be a difficulty in understanding some ICT terms when assessing the risk in data flow.
There is a rising trend of DPO job in the world. Around 28000 DPO needed in 2018 and the last report in 2020 said that more than 100.000 DPO are needed. This role is getting important since the data privacy awareness spread among the industry.
But, how is the condition in Indonesia? is it necessary to have the DPO in an organization? lets explore it on the next article.
Jati graduated his Master’s in ICT in Business and the Public Sector from Leiden University, the Netherlands. He is now currently pursuing his PhD from Leiden University on the topic of data privacy for the VODAN-Africa project.