GDPR and the role of the Data Protection Officer

Posted by: John-Arthur Berg, itslearning
Updated July 19, 2021

https://itslearning.com/global/news/gdpr-data-protection-officer/

It’s been just over three years since the European Union began applying a landmark legislation for data protection in the region — the General Data Protection Regulation (better known as GDPR). It is the toughest data privacy and security law in the world and reaches far beyond Europe. One of its key aspects is the appointment of a Data Protection Officer (DPO).

But what exactly is a DPO? A simple enough question, but the answer requires some understanding of GDPR (General Data Protection Regulation), and EU data privacy.

For any EU citizen, the right to privacy and protection of personal data is secured in the charter of fundamental rights (Articles 7 and 8). Personal data needs to be protected and the processing of it must have a lawful purpose and be transparent. The main instrument for ensuring this has so far been a combination of EU directives and local law in the different member states. But from 25. May 2018, this will be replaced by GDPR, a regulation that automatically becomes law in all member states (and EEA).

A DPO (Data Protection Officer) works to protect the fundamental freedoms and rights of data subjects in relation to privacy and data protection.

Many member states have already had provisions for a Data Protection Officer, either mandatory or voluntary. With GDPR, the role of the DPO is written into the EU law. For some institutions, having a DPO will be mandatory, others can choose to opt in. The following organisations must appoint one:

• Public/government institutions
• Organizations processing certain types of sensitive data on a large scale
• Organizations processing personal data that involves large-scale monitoring or surveillance

Recognizing that many of our customers will need to fill this role, itslearning has appointed one too. In addition to monitoring our own compliance and providing advice and training to our own staff, our DPO is available to our customers and their DPOs to discuss data privacy issues. I held that role until 2020 when itslearning was acquired by Sanoma Group. The role now sits with Riika Turunen in Sanoma. Her details are available on our GDPR page.

The role of the DPO

So back to the original question; what is a DPO? A simple way of putting it is that DPOs work to protect the fundamental freedoms and rights of data subjects in relation to privacy and data protection. To ensure that the DPO puts the rights of the data subject first, not those of his or her employer, there are particular provisions in GDPR to ensure independence. A DPO cannot be instructed in or penalized for the work done as a champion of data protection. He or she can also not have another role that could conflict with personal data protection.

A common misunderstanding about the role is thinking that the DPO is responsible for compliance with GDPR. It is actually the opposite, a DPO cannot have a formal role where decisions are taken that could affect GDPR compliance. Think of it as the difference between an accountant and an auditor; the auditor can advise the accountant and recommend accounting technics, but must remain independent.

Similarly, the DPO must always be consulted in important matters relating to data protection within his organization. He or she could take responsibility for training the organization on their duties under European data protection regulations. The DPO should also be able to proactively assess and monitor compliance, and report back to the highest level of management of the organization. The DPO is also the contact point for supervising authorities in each country who are responsible for ensuring that personal data is processed fairly and lawfully.

The DPO is also responsible for dealing with direct requests from data subjects. However this is limited to requests in cases where the organization is responsible for the purpose of the processing (the controller). For itslearning, the majority of the data we process, is on behalf of our customers. If you are a student, teacher or parent using our customers services, you need to contact the institution you are enrolled in to exercise your rights. Our DPO will however do what he can to support your institution in protecting your rights.

We hope we have sufficiently answered the question “What is a DPO?”

 
Further GDPR related information:

Why GDPR?

Preserving the rights and freedoms of our students

GDPR: Everything happens for a purpose

GDPR, Google and itslearning

Five important data privacy takeaways from 10 months of remote and blended learning

How to minimize risks regarding GDPR compliance?

For more information on GDPR and your rights as an itslearning user, please visit our webpage: itslearning is GDPR compliant.

John-Arthur Berg, itslearning
Published February 22, 2018. Updated July 19, 2021