Appointing an authorized Data Protection Officer
The implementation of the GDPR has imposed another task: the need to appoint the Data Protection Officer. This previously unknown term has suddenly been put at the center of debates, dilemmas and challenges to meet all the requirements of the GDPR.
So, we have to decide who to appoint to the position of the Data Protection Officer, or DPO. We are unsure whether it makes more sense to choose one of our own or hire an external DPO. Let us take a look at some facts that will make that decision easier.
Certain positions create a conflict of interest
Perhaps the CEO is the best person for the role of the DPO – he or she knows the company’s operations and business processes inside out. Or maybe the Head of HR, IT Director or Marketing Director?
Unfortunately, it is not so simple. The authorized Data Protection Officer should not be employed in a position which enables him or her to determine the purpose and methods of processing personal data. Let us look at the Head of HR, who stores and processes personal data of employees in personnel files and keeps the personal data of applicants on file for future employment opportunities. Since the person in this position directly decides for what purpose data should be used, they cannot assume the role of a DPO. Moreover, the Head of HR normally does not possess the needed expertise and experience.
cannot be appointed DPOs since such an appointment would create a conflict of interest. When such a situation arises, the best solution is to appoint an external DPO, as a simple and efficient way to avoid having to deal with conflict of interest issues.
Expertise is key
It is important that a DPO is well aware of the Slovenian and EU legislation and has an in-depth understanding of the GDPR as well as experience in the field of personal data protection. A DPO must also understand the data controller’s operations and organization, the data processing IT systems and processes, and the relevant personal data protection requirements.
A DPO uses a combination of in-depth knowledge and experience in a range of fields, with day-to-day practice still more than a routine matter. A problem may arise when your organization currently does not employ such a person and there is a dilemma over whether it is sensible to recruit a new employee into the role of DPO. We are here to provide you with an alternative to training a member of your staff or employing a new person: appoint an external DPO.
- The question is whether it is sensible to recruit a new employee as DPO although his or her tasks may not be enough for full-time employment.
We've been successfully cooperating with Mikrocop's team on personal data protection since 2014. Their professionalism and expertise are second to none. Ensuring GDPR compliance is definitely a complex task, but quite manageable with a systematic approach and a reliable partner.
– Vanja Lombar, Managing Director at OMV Slovenija
Training and keeping up to date requires time and money
The DPO has to keep up to date with the novelties in personal data protection law and case law. Since we are occupied with our daily tasks, we often find no time for further training and education. Furthermore, acquiring special qualifications and certificates that testify to the required personal data protection knowledge certainly requires some financial investment.
What are the tasks of an external DPO?
- Notification and consulting
- Monitoring compliance
- Employee notification and training
- Providing advice and assistance
- Collaborating with the Information Commissioner
- Conducting annual audits
Want to know more? Contact us!