Under Europe’s General Data Protection Regulations (or “the GDPR”), Controllers and Processors are obliged to appoint Data Protection Officers (“DPOs”) in certain circumstances responsible for facilitating data protection compliance. Additionally, the GDPR includes requirements for the DPO position and defines minimal tasks that must be allocated to the DPO role. In pursuit of preparing for and complying with these requirements, companies need to consider the practical implications of appointing, if not formulating, the DPO role.
While some companies may be able to leverage organizational development specialists to facilitate their preparation efforts, other companies will approach these matters in accordance with their existing compliance governance models, functional roles and practices related to the DPO mandates within the GDPR.
The GDPR defines when a DPO is required
The GDPR requires Controllers and Processors to appoint a DPO in certain circumstances. Most notably for small to mid-size companies required to appoint a DPO, it should be noted the GDPR allows the DPO role to be fulfilled by an employee or a third party retained under a service contract. Additionally with respect to a “group of undertakings” involving multiple Controllers, Processors and processing activities, GDPR allows for the appointment of a single DPO to preside over such business arrangements.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.