The role of a Data Protection Officer

Today personal data are part of all key operational processes. Personal data can be found in paper and electronic documents, information systems, databases, shared folders, cloud storage and other media, not to mention countless folders, filing cabinets and drawers. Along with the progress of digitalization, the volume of data to be processed is growing exponentially.

In the rapidly changing world, personal data protection is not an end state we reach but a live and dynamic process that must be monitored, optimized and supervised all the time. A Data Protection Officer (DPO) plays a key role in this regard.

Who has to appoint a Data Protection Officer?

Whether an organization needs to appoint a DPO or not will largely depend on the activity it pursues. If it engages in large-scale, systematic and regular collection and processing of various categories of personal data, it surely needs a DPO.

In addition to public authorities, a DPO must allso be appointed by legal entities whose core activities consist of processing operations that require regular and systematic monitoring of the data of data subjects, e.g. banks, insurance companies, electronic communications operators, retailers with customer loyalty programs, recruitment agencies, many online stores, etc. The same rule applies to organizations that process health data or any other type of sensitive data (special category of personal data), e.g. hospitals and clinics, health and social care institutions, and providers of health information systems and services.

Who can act as a DPO?

When appointing a DPO, many organizations find that their employees lack the necessary expertise and familiarity with data protection legislation, or simply do not have enough time due to their existing responsibilites.

According to the GDPR, DPOs may not be employed in a position where they are able to define the purposes and means of personal data processing. Given the above, executives, heads of operations, IT, HR or Marketing cannot serve as a DPO, as this would create a conflict of interest.

It is important that a DPO is well aware of Slovenian and European legislation and has an in-depth understanding of the GDPR as well as experience in the field of personal data protection. In addition, a DPO must understand the data controller’s operations and organization, the data processing IT systems and processes, and the relevant personal data protection requirements. A problem may arise when your organization currently does not employ such a person and there is a dilemma over whether it is sensible to recruit a new employee into the role of DPO.

An alternative to retraining or new recruitment is an external DPO. The GDPR permits organizations to entrust the role of the DPO to an external contractor. Unlike internal staff, an external DPO can sometimes more easily provide unbiassed consulting on the processing and protection of personal data and help maintain the comprehensive nature of data protectioon practice, and, most importantly, prevent the conflict of interest between their function at the company and their role as a DPO.

What should we pay more attention to?

The first issue that deserves more attention is the (un)controllability of personal data in paper documents. Paper-based documents that contain sensitive information and personal data, e.g. personnel files, contracts, are still widely used. Often they are kept in desk drawers, unlocked cabinets or unsecured archival premises. Such storage of paper documents constitutes the highest risk in terms of personal data protection since it does not prevent unauthorized data access, potentially leading to misuse or abuse of information, does not ensure user activity audit trail, and may cause considerable business damage.

Another major challenge is the sharing of documents that contain personal data. Every day, employees send each other documents via electronic mail or exchange them through web services. During such transfers, personal data are not protected and may easily fall subject to abuse or theft.

The third challenge deals with inappropriate storage of documents containing personal data. Documents are often kept in several different systems, which makes centralized data acess control very difficult. What’s more, not all systems record user visits and many employees store their personal data in unsecured Excel spreadshehets and shared folders. As is, the GDPR requirements prompt the critical need for audit logging, retention periods, and erasure of personal data that may only be kept for the minimum period necessary pose yet another challenge.

How can a DPO assist in ensuring compliance?

A DPO has to regularly monitor the compliance of personal data processing and protection with the applicable laws and policies and notify the company abou its statutory obligations concerning personal data protection. It is crucial to ensure continuous training for employees who are involved in personal data processing, as well as further personal data protection awareness-raising and training campaigns.

Another task of the DPO is to consult on the risk assessments conducted prior to and during data processing. During processing, the DPO assists and guides the employees. The DPO also provides the responsible persons and supervisory bodies (e.g. Information Commissioner) with appropriate reports and analyses on personal data protection, conducts annual audits of personal data processing, and offers advice in implementing improvements.

The DPO is also involved in cases when data subjects request to exercise their rights under the GDPR, and advises on the preparation of Legitimate Interest Assessments (LIAs) to justify data processing.

Fear of penalty is not a good motive for long-term compliance

The decision to systematically regulate and maintain compliance in the field of personal data protection should not be driven by fear of high penalties but rather the awareness that in today’s world transparent and responsible handling of personal data is a competitive advantage.

In the digital world, where high expectations and changes often precede the legislation, responsible statutory compliance is a major challenge. By deciding to take a comprehensive approach to personal data protection, adopting a long-term data protection strategy and appointing the right person to act as the DPO, we can greatly reduce risks, strengthen our reputation, and maintain customer trust.

Want to know more? Contact us!

Grega Vozel acts as the Personal Data Protection Officer (DPO) for Mikrocop and its business partners. In his work, he strives to ensure the highest ethical and legal standards. He does not accept compromises when it comes to the protection of personal data of customers and employees.