Knowing that you may need a DPO is one thing, but what does a DPO actually do?
Firstly, the DPO is NOT responsible or accountable for GDPR compliance. This duty falls on the organisation itself.
Day to day, the DPO is the internal authority on data protection guidance for all activities involving personal data. Any new project, architecture, design or plan that includes personal data should have the input from the DPO. In turn, availability of the DPO for all teams is essential. The DPO’s guidance does not necessarily need to be followed, but if it is not, then this should be explicitly documented as to why and the risk assessment made. The DPO can sit in any business unit where there isn’t a conflict of interest, and must have a direct feed into the top level of management.
The volume of work required from a DPO will vary from organisation to organisation. A smaller company may require one or two days of DPO input per month. Another may require a full time DPO with a large supporting team underneath them. Under resourcing the DPO role would be a very careless mistake, especially if the regulator comes knocking.
Crucially, the DPO must be a true expert on the GDPR. Whether they are a trained lawyer, Compliance Manager or external consultant, they need to know GDPR inside out and how to comply with it in the real world. No specific qualification is required for a DPO, but in addition to expert GDPR knowledge they must also have strong skills in Information Security, Project Management, Business and organisational nuances for administrative rules and procedures.
The DPO is your expert GDPR advisor, ready to work with project teams assessing compliance and happy to face the supervisory authority in the event of a data security breach. The DPO has a wide skill set and reports directly to the executive board.