Under article 39 of the GDPR Data Protection Officer (hereinafter referred to as the “DPO”) has been saddled with some duties and it is mandatory for him to perform while acting so and they are-
- Inform and advise: The DPO is required to inform and advise the controller or the processor and the employee (who are involved in data processing) about their obligations as mentioned under the GDPR and other union or member state data protection provisions;
- Monitor Compliance: The DPO has to monitor the compliance of GDPR, other union or member state data protection provisions. They have to train staff, raise awareness and assign responsibilities involved in processing operations, and related audits;
- Advice when requested: The DPO has to provide advice for data protection impact assessments and monitor its performance as per article 35.
- Liaise with the supervisory authority; Where necessary, the DPO shall consult with the relevant supervisory authorities on DPIA matters. Further, DPO shall act as a point of contact between the enterprise and DPA on any data processing issues and investigations.
- Central contact Point: it is the duty of the DPO to act as a contact point for the supervisory authority on issues relating to the processing including the prior consultation as referred u/art.36, and to consult, where appropriate with regard to the other matter.
The data protection officer shall give due regard to the risk associated with processing operations and also take into account the nature, scope, context and purpose of the proceeding.
Reporting of the DPO
Under the GDPR provisions, the DPO is to report directly to the highest management level of the controller or the processor. This reflects a certain level of autonomy in the position of the DPO – separation of powers. Creating awareness and a culture of GDPR compliance at the management level will more often than not have a trickle-down effect on the rest of the employees of the organization.
Picture Credit- https://seersco.com