GDPR and the role of the Data Protection Officer at itslearning

It has now been eight years since the European Union began applying a landmark piece of legislation for data protection in the region — the General Data Protection Regulation (better known as GDPR).  It remains one of the most comprehensive data privacy and security frameworks in the world and continues to influence legislation far beyond Europe.

Since its introduction in 2018, GDPR has been shaped and clarified through regulatory guidance, enforcement decisions, and court rulings across the European Union and the European Economic Area.

In this context, it is useful to revisit some of the key concepts introduced by GDPR and consider how they apply today. In this piece, we look at one of the central roles defined by the regulation — the Data Protection Officer (DPO).

What exactly is a DPO?

A simple enough question, but the answer requires some understanding of GDPR and EU data privacy rules.

For any EU citizen, the right to privacy and protection of personal data is secured in the charter of fundamental rights (Articles 7 and 8). Personal data needs to be protected and the processing of it must have a lawful purpose and be transparent. The main instrument for ensuring this prior to 2018 was a combination of EU directives and local law in the different member states. That all changed on the 25th of May, 2018 with GDPR being adopted in all EU and EEA member states.

A DPO (Data Protection Officer) works to protect the fundamental freedoms and rights of data subjects in relation to privacy and data protection.

With GDPR, the role of the DPO became written into the EU law. For some institutions, having a DPO will be mandatory, while others can choose to opt in. The following organisations are required by law to appoint a DPO:

• Public authorities and bodies
• Organisations whose core activities consist of large-scale processing of special categories of personal data
• Organisations whose core activities involve regular and systematic monitoring of individuals on a large scale
  
  

Recognising that many of our customers will need to fill this role, itslearning was among the first LMS providers to appoint a DPO. In addition to monitoring our own compliance and providing advice and training to our own staff, our DPO is available to our customers and their DPOs to discuss data privacy issues. The role is currently held within the Sanoma Group. The details are available on our GDPR page.

The role of the DPO

So back to the original question, what is a DPO? A simple way of putting it is that DPOs work to protect the fundamental freedoms and rights of data subjects in relation to privacy and data protection. To ensure that the DPO puts the rights of the data subject first, not those of his or her employer, there are particular provisions in GDPR to ensure independence. A DPO cannot be instructed in or penalised for the work done as a champion of data protection. They can also not have another role that could conflict with personal data protection.

A common misunderstanding is that the DPO is responsible for compliance with GDPR. In reality, responsibility for compliance remains with the organization itself, while the DPO acts in an advisory and monitoring capacity. Think of it as the difference between an accountant and an auditor; the auditor can advise the accountant and recommend accounting technics, but must remain independent.

Similarly, the DPO must always be consulted in important matters relating to data protection within his organization. He or she could take responsibility for training the organization on their duties under European data protection regulations. The DPO should also be able to proactively assess and monitor compliance, and report back to the highest level of management of the organisation. The DPO is also the contact point for supervising authorities in each country who are responsible for ensuring that personal data is processed fairly and lawfully.

The DPO is also responsible for dealing with direct requests from data subjects. However this is limited to requests in cases where the organization is responsible for the purpose of the processing (the controller). For itslearning, the majority of the data we process, is on behalf of our customers. If you are a student, teacher or parent using our customers services, you need to contact the institution you are enrolled in to exercise your rights. Our DPO will, however, do what they can to support your institution in protecting your rights.

GDPR has significantly strengthened data protection rights across Europe and increased awareness of how personal data is used and protected. As data protection continues to evolve alongside new technologies and regulatory frameworks, the role of the DPO remains central in ensuring accountability, transparency, and trust. At itslearning, we take data privacy very seriously with a strong commitment to GDPR and ISO 27001 standards.

For more information on GDPR and your rights as an itslearning user, please visit our webpage: itslearning is GDPR compliant.