The Data Protection Officer: functions and responsibilities

Who is the DPO (Data Protection Officer)? Why is this function so important in a company?

The DPO is the Data Protection Officer, a technical and legal advisor with executive power.

This is a new professional figure introduced by the GDPR, and their responsibilities to inform, monitor and cooperate are outlined precisely in Article 39.

His duty is to ensure that the processing of personal data and risk management are coordinated in accordance with the European Regulation.

That is why he advises and guides data controllers, employees and data processors in this regard.

Data Protection Officer: when it is recommended to have one and when it is mandatory

Data Protection Officer and the obligatory nature of his designation

The designation of a Data Protection Officer is not always mandatory.

The mandatory cases are:

  • when personal data is processed by public authorities (for example, schools or public hospitals);
  • for companies that process personal data based on large scale monitoring;
  • for entities that process judicial, union or biometric data.

Its designation is instead advisable for public service contractors or, in any case, for companies and professionals that need to record personal data every day.

In any case, thanks to moltosenso‘s consultancy, it is possible to clarify any doubts about it.

What is the Accountability and how is it related to the figure of the Data Protection Officer?

Accountability is a fundamental principle introduced by the GDPR, as well as one of the guiding criteria of the Data Protection Regulation.

Accountability literally means “responsibility” and is therefore linked to the concept of being “trustworthy”. In this sense, it is said that the company, entity, association or entrepreneur that processes personal data must be “accountable”.

The Data Protection Officer, as part of his function of cooperation and collaboration, has the task of ensuring that the data controller is “accountable”, i.e., behaves according to the principle of “accountability” introduced by the GDPR.

Being responsible means, as the European Regulation underlines, being aware of the risks in the privacy field and of the duties related to it. This is why the Data Protection Officer should be seen as a “friendly” partner, who makes this process much easier, avoiding annoying headaches.

Lack of risk awareness: what it entails and why companies should lean towards letting experienced and knowledgeable counsel to lead the way

The DPO as an expert and risk-aware guide

The lack of risk awareness sometimes leads to important consequences, from a legal but also a practical point of view. One of the first and most common risks is the data breach, about which we have written extensively on this page dedicated to information security.

In addition, failure to adequately address the risks faced by the company can result in onerous penalties for the company. Every day the media provides us with examples of how large international companies, and sometimes even small ones, end up paying astronomical sums of money for trying to use their clients’ personal data without their consent or implementing appropriate security measures.

To reduce the lack of risk awareness, the Data Protection Officer conducts a precise and timely risk analysis and, where necessary, a comprehensive impact assessment (DPIA).

Only in this way is it possible to adopt effective countermeasures in line with the company, aimed to protect privacy, personal data and to avoid such huge penalties that would affect the company’s finances.

Record of processing activities, what is it? Is it mandatory?

One of the most important new requirements in the field of personal data processing is the Record of Processing Activities. In fact, the European Regulation 2016/679 specifies, in Article 30, that a Record of Processing Activities data must be prepared and made available to the Supervisory Authority if requested.

This is a document that includes specific information on the activities carried out by the organization with regard to the various operations performed for the processing of personal data. It is a central document, given the detail of the information that the Data Controller must provide: the category of data subjects, the purpose of the processing, any data transfers and their corresponding retention period. This document will also be one of the first inputs to perform a proper risk analysis.

Such register must also be kept in electronic format by the Data Controller.

Par. 5 of Article 30 indicates that it is not mandatory “for companies or organizations with fewer than 250 employees, unless the processing they carry out is likely to present a risk to the rights and freedoms of the data subject, the processing is not occasional or includes the processing of special categories of data referred to in Article 9(1) or personal data concerning criminal convictions and offenses referred to in Article 10.”

The Data Protection Officer is responsible for assessing whether it is mandatory and what the record of processing activities should contain.

Compliance with the European regulation: some examples of how the DPO responsible does this

The Data Protection Officer helps the Data Controller to perform an initial GDPR impact assessment through several steps:

  • mapping out business tasks, for example through a checklist;
  • analysis of business documents, processes and assets in order to identify risks related to data processing (methods and types of data processed);
  • Gap analysis (or non-compliance) against GDPR and actions to mitigate them.

Find out what we do and ask for more information

moltosenso’s GDPR consulting

Thanks to moltosenso, companies are able to speed up the process of providing information security in an intelligent way.

moltosenso offers as part of its services the provision of a competent, responsible and attentive Data Protection Officer.

Contact us to learn more or to simply get more information.

A member of our team will answer you as soon as possible.