In certain circumstances data controllers and processors must designate a Data Protection Officer (DPO) as part of their accountability programme.
The GDPR does not specify credentials necessary for data protection officers, but does require that they have “expert knowledge of data protection law and practices.” This will depend on the processing activities for which the officer will be responsible.
Article 35 of the GDPR states that data protection officers must be appointed :
- processing is carried out by a public authority,
- the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale, or
- the core activities consist of processing on a large scale of special categories of data.
The Data Protection Officer will need to have a complete understanding of the current requirements of the act and how it impacts the company they are working with – they will also need to be able to advise the company of the future requirements they may need to employ. For instance, the impact of say dealing with younger age-group customers.
The Data Protection Officer may be employed or under a service contract. There is no requirement under the present GDPR for a company to have a permanently employee – however there may well be benefits to larger companies to do this.
A group of companies may share a single DPO (conditional on accessibility by all), as may certain groups of public authorities.
Firms whose core business activities are not data processing are exempt from this obligation.