The role of a data protection officer (DPO) is to work within the organisation as a representative for data subject rights. They must be able to inform and advise both the controller and the processor of their obligations, monitor compliance within the organisation, provide advice on assessments such as Data Protection Impact Assessments etc and be a point of contact for both the data subjects and the supervisory authority.
Not all organisations must appoint a DPO but one must be appointed if:
- the processing of personal data is carried out by a public body
- core activities require regular and systematic monitoring of personal data on a large scale
- core activities involve large-scale processing of special
categories of data.
In practical terms, where a DPO is not required by the regulation a responsible person should be assigned to the management of data protection practices within an organisation to carry out the tasks required by the organisation.
It is acceptable for a DPO to be independent of the organisation and many of ProvePrivacy’s partner network provide a DPO as a service offering.