The GDPR introduces a new institutional role, the Data Protection Officer. His role is very important in achieving compliance with GDPR since he is the one who controls the day-to-day application of the Regulation to the operation of the company, examines the effect of any functional change on the protection of personal data and advises the management of the company, in order to achieve continuous compliance. It is also the person who keeps the record of processing activities and the one with whom the Data Protection Authority and the data subject communicate, on any matter that arises, or simply for information purposes regarding the compliance of the company.
This role can be assigned internally to the company or it can be outsourced, a chοice that is left to the discretion of the company. This role is incompatible with other duties within the company, especially with the head of the legal department and the IT security officer, with whom both cooperative and auditing duties apply at the same time. It is important to emphasize that the DPO does not have any personal responsibility for the compliance of the company with GDPR, since the implementation of any measures required belongs exclusively to the company. Even the case of lack of proper knowledge and experience is not borne by him, according to GDPR, but the company and its management.
In a GDPR Compliance Project, the need for appointment or not of a DPO is considered from the outset, based on the GDPR’s requirements (eg processing large volumes of personal data or processing sensitive personal data or systematically processing personal data). If this is not apparent from the outset, GAP Analysis will demonstrate the necessity or not.
The role of the DPO can and should be assigned even before the start of the project, so that he can be involved in all phases of the project, be fully aware of all findings from the outset and possibly lead and parts of the project. Ideally, as long as he has the required experience and knowledge needed for the role of the DPO, he could be Project Manager. DPO can of course be defined at the end of the project or at any other time.
Our company, with the knowledge and experience of its executives, is able to offer the DPO as a service to its customers. The design of the service includes an experienced IT engineer and a specialized lawyer, who are an integral twin for the implementation of the service. Every change related to personal data proccessing is recorded and evaluated in terms of security by the IT engineer while at the same time being legally examined, so that the next actions can be decided (eg, whether or not to conduct a new DPIA).