This is the first in a series of posts penned by itslearning´s Data Protection Officer (DPO), John-Arthur Berg.
So let’s start with the most obvious question; what is a DPO? A simple enough question, but the answer requires some understanding of GDPR (General Data Protection Regulation), and EU data privacy.
For any EU citizen, the right to privacy and protection of personal data is secured in the charter of fundamental rights (Articles 7 and 8). Personal data needs to be protected and the processing of it must have a lawful purpose and be transparent. The main instrument for ensuring this has so far been a combination of EU directives and local law in the different member states. But from 25. May 2018, this will be replaced by GDPR, a regulation that automatically becomes law in all member states (and EEA).
Many member states have already had provisions for a Data Protection Officer, either mandatory or voluntary. With GDPR, the role of the DPO is written into the EU law. For some institutions, having a DPO will be mandatory, others can choose to opt in. The following organisations must appoint one:
- Public/government institutions
- Organisations processing certain types of sensitive data on a large scale
- Organisations processing personal data that involves large-scale monitoring or surveillance
Recognizing that many of our customers will need to fill this role, itslearning has appointed one too.
So back to the original question; what is a DPO? A simple way of putting it is that DPOs work to protect the fundamental freedoms and rights of data subjects in relation to privacy and data protection. To ensure that the DPO puts the rights of the data subject first, not those of his or her employer, there are particular provisions in GDPR to ensure independence. A DPO can not be instructed in or penalized for the work done as a champion of data protection. He or she can also not have another role that could conflict with personal data protection.
A common misunderstanding about the role is thinking that the DPO is responsible for compliance with GDPR. It is actually the opposite, a DPO cannot have a formal role where decisions are taken that could affect GDPR compliance. Think of it as the difference between an accountant and an auditor; the auditor can advise the accountant and recommend accounting technics, but must remain independent.
Similarly, the DPO must always be consulted in important matters relating to data protection within his organization. He or she could take responsibility for training the organization on their duties under European data protection regulations. The DPO should also be able to proactively assess and monitor compliance, and report back to the highest level of management of the organization. The DPO is also the contact point for supervising authorities in each country who are responsible for ensuring that personal data is processed fairly and lawfully.
The DPO is also responsible for dealing with direct requests from data subjects. However this is limited to requests in cases where the organization is responsible for the purpose of the processing (the controller). For itslearning, the majority of the data we process, is on behalf of our customers. If you are a student, teacher or parent using our customers services, you need to contact the institution you are enrolled in to exercise your rights. Our DPO will however do what he can to support your institution in protecting your rights.
We hope we have sufficiently answered the question “What is a DPO?” Stay tuned next week for the second article in our series: “Why GDPR?”
For more information, please visit our web page: itslearning GDPR compliant by May 2018