What does a Data Protection Officer do and where do they sit within an organisation?

 In News

From the 25 May 2018, the GDPR will introduce into legislation an accountability-based compliance framework for data protection. Demonstrating compliance with this significantly enhanced legislation, may require organisations to appoint a Data Protection Officer (DPO).  In this blog we look at what the DPO does and where it sits within the organisation.

What does a DPO do?

There are a number of obligations that relate to a DPO as defined in Article 39 of GDPR. Although some of these do not apply to voluntary DPOs (EG. protected employment status). Nevertheless, if you appoint one voluntarily, you essentially enter into an agreement to ensure that their tasks are compliant with the regulations. It is also important to remember that the DPO’s tasks cover all personal data processing activities, not just those that require their appointment under Article 37.

The DPO’s remit under the regulations is extensive but can be summarised as:

  • Informing and advising the data controller or data processor and its employees about their obligations to comply with the GDPR and other national data protection laws
  • Monitoring compliance with GDPR and other national data protection laws, including managing internal data protection activities, advising on data protection impact assessments, training staff and conducting internal audits
  • Being the first point of contact for supervisory authorities and for individuals whose data is processed (for example, employees and customers).

Where does a DPO sit within an organisation?

Article 38 of GDPR provides clear direction on the position of the DPO within a controller or processor organisation. They should be the primary point of contact for individuals, employees, regulators and other interested parties.

“DPOs must be able to report to the highest level of management within your organisation”

In order for them to perform their obligations effectively, DPOs must be able to report to the highest level of management within your organisation and be provided with adequate resources to enable them to carry out their tasks. They must also operate independently and must not therefore be in a position within the organisation which results in a conflict of interest. Positions where an individual’s role includes defining the means and methods of processing are likely to result in a conflict of interest – for example, CEO, Chief Operating Officer, Chief Financial Officer, IT Director, Head of Marketing, and Head of HR.

The DPO does not need to be an employee of the controller or processor organisation and many organisations may find it very beneficial to appoint an external DPO in order to remove conflicts of interest and to demonstrate independence.


Read our other blog  “Data Protection Officer – do you need to appoint one?”                                                                           

Written by Brian Penfold, Technical Director of Trident Assurance Services and qualified GDPR practitioner. 

We can undertake the DPO role for you, which removes any conflict of interest. Our senior consultant, Brian Penfold, has 30 years of extensive experience in risk management, safety, compliance and assurance in highly-regulated environments. We can tailor our DPO service to suit your requirements. This may range from supporting you for a few days a year, to a wide-ranging portfolio of activities designed to help you achieve and maintain compliance. Get in touch for a free no-obligation consultation.


Recent Posts
  • Bethel Hammerly

    I blog quite often and I seriously thank you for your information. This article has really peaked my interest. I will take a note of your website and keep checking for new details about once a week. I subscribed to your RSS feed too.

Leave a Comment

data protection officer and eu mapprivacy notice keyboard key