Being DPO –Point Man of the GDPR Quest

A comeback is never easy, especially if it is at a Global stage. A term (DPO- Data Protection Officer) done and dusted in the last millennium has suddenly made a comeback piggybacking with GDPR (General Data Protection regulation) and what an impact it has had over last year. Every organization wants to know what a DPO is and every appointed DPO is eager to understand what it means to be a DPO? Would DPO be held responsible for every breach of data in the organization?  Would DPO be sued for the lapses? What authority and responsibilities should the DPO have? Very few authentic answers are readily available to all these questions. With multiple sources propounding different versions of the regulation confusion reigns supreme in the minds of existing and prospective DPOs. To add more anxiety to this excitement, the Government of India is rolling out its version of Data Protection Policy. A macro view suggests a straightforward strategy, protect all acquired data at every stage at any cost else you would be penalized, heavily penalized.

So what exactly are the duties of the DPO? Can it be explained in layman’s terms by cutting out the jargon? Yes, it can be. Before that let us understand two essential terms that GDPR brings to the fore, Data Controller (DC) and Data Processor (DP). Let us know them first. Data Controller, as the name suggests is a person or an entity that seeks, stores and controls how any data would be treated while Data Processor is a person or an object that processes the data on behalf of the Data Controller. So both the DC and DP have their own set of responsibilities to ensure that data acquired and processed by them is safeguarded under all conditions. Now enters the most crucial player, the DPO. The DPO is appointed by the DP &/or the DC to assist them in the protection of data. Let us see what this means and how the DPO can do justice to this single point agenda of Dp & DC.

Let us look at the duties of a DPO and its implications in straightforward terms:-

  1. Assist and advise DP & DC in all issue related to Data– convey the obligations of each data, i.e., the DP/DC and all other employees. No confusion or ambiguity.
  2. Monitor end to end Compliance – Institute measures to identify, establish and monitor GDPR processes from all perspectives viz. People, Processes/ Policies, Technology & Legal. This must include periodic assessments and audits (DPIA – Impact assessment), awareness campaigns and training activities.
  3. Single Point of Contact (SPOC) – Act as the SPOC for every data protection activity. Safeguard the interest of the individuals who have entrusted the DP/DC with their data. Inform GDPR authorities regarding own presence and reporting related to processes and breaches if any, within 72 hours. The GDPR clearly states: “Data subjects may contact the data protection officer about all issues related to the processing of their data and the exercise of their rights under this Regulation.”

Appointing a DPOCriterion for selecting the DPO though not necessary, might be as below:-

  1. Must have “expert knowledge” of data protection law and practices.
  2. Should be familiar with the sector within which the organization operates.
  3. Must not be subject to any conflict of interest.
  4. DPOs can be shared with another organization or outsourced to a service provider.

That’s it. As simple as that. However, wait there is more, and it is imperative. The DPO has also been given some rights under the regulation. DPO gets a free hand and is protected by the GDPR from retaliation and while he is the Pointman in the entire game the final responsibility of Data Protection lies on the heads of the Data Controller/ Data Processors.

Regulations apart, a DPO should loudly convey to all that “We Care about your data” and we are ready to be held accountable for it. So, go ahead, Save the data of the world without any fear!