On 25 May 2018, the EU General Data Protection Regulation (GDPR) rules officially set in, changing the way companies work with privacy data. Among the new items to look out for, is the need to implement a Data Protection Officer (DPO). But what precisely is a DPO and do all organizations need one?
An extra, independent set of eyes
A Data Protection Officer (DPO), according to the EU, ‘ensures, in an independent manner, that the European Commission correctly applies the law protecting individuals’ personal data. The DPO keeps a public register explaining all operations carried out by the Commission that involve processing personal data’.
The role is a new creation, developed alongside the EU GDPR regulations, and this person is a data responsible employee or external consultant, with an ‘expert’ knowledge within privacy data law, who will overview the organization’s implementation and maintenance of the EU GDPR rules.
All public institutions have to have a DPO (aside from courts). If you are a private company, you need to have a DPO if either your company’s core activity is connected to the treatment of privacy data or if the company’s core activity is connected to the treatment of large scale sensitive data or information about criminal aspects. The organization also has to have over 5,000 data subjects in a 12-month period.
The DPO’s job is to inform Commission departments collecting personal data and persons whose data are collected of their rights and obligations, to ensure Commission departments comply with the law when processing personal daat, to investigate data protection matters, to keep a register of processing operations on personal data by Commission departments and to cooperate with the European Data Protection Supervisor. The DPO role is protected like a like an employee representative and reports straight to the organization’s top management and acts as contact person between the company and the Data Protection Agency.
Not a CDO
There has been some talk about the difference between a Chief Data Officer (CDO) and a Data Protection Officer (DPO). The two roles are in no way connected.
The CDO is someone in an organization’s top management layer, bearing responsibility for the company’s enterprise wide data and information strategy, governance, control, policy development and effective exploitation. The CDO has accountability and responsibility for information protection and privacy, information governance, data quality and data life cycle management.
The role of the CDO is on the rise, with analyst firm Gartner predicting that by the end of 2017, 50% of all companies in regulated industries will have a CDO, mainly due to the rise of highly regulated industries and data increasingly becoming a corporate asset.
Read more articles about EU GDPR and how you get in control for May 2018 and stay in control or download the EU GDPR e-book here.
Read and learn more about Omada’s identity management and access management solutions.