You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
The Atlassian Community can help you and your team get more value out of Atlassian products and practices.
Today, increasingly demanding data privacy regulations are one of the most challenging issues facing companies. Violations of the protection of personally identifiable information (PII) result in significant fines as well as reputational damage and loss of customer trust. In this context, companies can appoint data protection officers (DPOs) to monitor and support compliance with data protection laws.
In this article, we will explain to you exactly what data protection officers are, what responsibilities and roles fall within their space, and what qualities they should possess. Our valuable tips will help you get off to a successful start as a data protection officer!
A data protection officer (DPO) is a natural person who is responsible for monitoring the data protection strategy of a company in accordance with the GDPR. Furthermore, DPOs are contact partners for data subjects, employees as well as the workers’ council. Training employees on data protection compliance is also one of the responsibilities. DPOs report directly to the highest level of management in an organization – but are not subject to directives regarding data protection responsibilities. Through their role, they help maintain business continuity and trustworthiness.
Data privacy officers can be appointed internally or externally – i.e., either employees of the company or independent business owners.
To manage day-to-day responsibilities, it is important that no conflict of interest arises. Current obligations, tasks, and roles must not be seen as conflicting with monitoring responsibilities. This must be given special consideration in the case of internal data protection officers.
According to Article 37 of the GDPR, all companies are obliged to appoint a data protection officer as soon as the core activity of the company is the processing of data of EU citizens.
Although the legal text of the GDPR does not define a scope that more precisely specifies the “core activity” of data processing and collection, many small businesses do not have to designate a data protection officer (DPO). Simply ask yourself to what extent data processing plays a role in your business, how many people are affected, how long data is retained, and what the scope of this data retention is.
It is a common GDPR myth that the regulation only applies to EU-based companies. In fact, as soon as you collect and process data from EU citizens, you are subject to the GDPR. You could be located in the US, China, or Australia. What matters is not YOUR location, but the location of the affected individuals.
So if you realize that you need to comply with the GDPR, be careful and ask yourself in the next step to what extent your “core activity” is data processing.
The designation of a data protection officer is relatively simple compared to all other activities related to data protection and data security. According to Article 37, point 7 of the GDPR, it takes place as follows:
The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
Thus, to officially designate your data protection officer, it is sufficient to provide information such as the name and address of the DPO as well as your institution and contact details via the online notification form of your regional supervisory authority.
So much for the basics. Now let’s get to the facts and the hard question: What are the day-to-day responsibilities and roles of data protection officers?
In Article 39, the GDPR is again more detailed when describing responsibilities and roles.
Advising and training of the controller, processors, and employees who process personal data to ensure that they comply with the requirements of the GDPR, as well as other EU or national data protection laws.
Data Protection Officers also monitor compliance with these laws as well as data security policies, including auditing processes.
When necessary, he/she provides advice on data transfer impact assessment (TIA) and works closely with supervisory authorities.
The Data Protection Officer also acts as a point of contact for issues related to the processing of personal data.
In fulfilling responsibilities, a DPO considers the risk associated with the processing and all factors such as the nature, scope, circumstances, and purposes of the data processing.
Based on the responsibilities and different roles that DPOs take in companies, one can conclude the qualities that a DPO must have. According to the GDPR, such a person must have a specific professional qualification and expertise in data protection. There is no training or course of study for data protection officers or any official certification programs.
Expertise in data privacy laws
Comprehensive understanding of technology
Good leadership skills
Legal knowledge is recommended
Business management experience
Organizational and communication skills
Have you been appointed as a data protection officer? Congratulations! To help you successfully manage your responsibilities and roles, we’ve put together some helpful tips for you. Follow the guide and you will become a successful DPO!
A Data Transfer Impact Assessment (TIA) addresses the potential risks to your organization when personally identifiable information (PII) of EU citizens is transferred to countries that do not comply with the GDPR. Each party involved in the data transfer must complete a specific questionnaire.
In this way, possible risks of data processing to the rights and freedoms of an individual can be estimated. According to clause 14 of the new Standard Contractual Clauses (SCC), Data Transfer Impact Assessments are mandatory responsibilities and must be prepared for each new data transfer.
Success tip for TIAs
Use the European Data Protection Authority’s guide to preparing TIAs as a help.
Start the Transfer Impact Assessment early, while you can still influence the course of the project, to save potential costs.
It is important to remain independent and ensure that the responsible party does not direct you on how to do your work.
Depending on the size and associated risks of the project, it may be your responsibility to contact your local data protection authority.
If possible, it makes sense to publish the TIA report to communicate to customers and employees that the security and privacy of their data is taken seriously.
Subjects may submit a written request to a company at any time to ask for disclosure of the nature, purpose, and scope of the processing of their personal data. It is then your responsibility to comply with this request as soon as possible. Many laws such as CCPA or even GDPR include some form of “right of access,” so you should be well-prepared in any case.
How to provide information to subjects
Identify the form of the request and whether it is for current or former customers or employees.
Request additional information to facilitate the search for personal data.
Use an app to find sensitive data quickly and easily.
Document the request’s arrival, as well as your work and delivery of the response.
During your career as a data protection officer, you will, one day or another, reach the point where all your preventive measures have unfortunately been unsuccessful and damage has already been done. Attacks on IT systems, misuse of access rights, the loss of unencrypted data media such as laptops and USB sticks, or simply the unintentional deletion of data are among the examples of the broad spectrum of data privacy breaches. Then it will be your duty to keep the damage as small as possible.
Considering the increasing cyber threats, it’s only a matter of time before one of these situations occurs, and in the first place, it’s not a warrant for bad work!
That’s also the first tip here: when the alarm bells start ringing, don’t panic or feel sorry for yourself, but follow these steps to mitigate data breaches:
Detect and mitigate security breaches
To evaluate, answer these questions
What data and systems are affected?
Which individuals are involved?
How did the data breach happen?
Has the incident ended or is it ongoing?
What happened to any data that was stolen?
In the event of a data breach, you should act quickly and report it immediately.
The first task, of course, is to report it to the IT department as well as other internal responsible parties in your company.
It is also your responsibility to report it to the relevant supervisory authority.
It may be further necessary to inform the affected persons about the breach and possible dangers. Discuss with the supervisory authority in this regard.
Data breach mitigation
To mitigate the data loss, physical areas but also systems need to be secured as soon as possible. Take devices offline and update passwords and access codes.
Check your website for possible damage.
Update your antivirus and anti-malware programs.
Implement multifactor authentication (MFA) if you haven’t already.
Review online accounts and balances for suspicious activity.
Prevent future data breaches
Learn from the data breach and create a communication and prevention plan that incorporates your lessons learned.
Knowledge is power. This is especially true for DPOs. Therefore, regularly exchange tips for success and best practices with your colleagues in the industry. Face-to-face meetings with other experts, workshops, conferences, and working groups will help you to fulfill your responsibilities even more decisively.
It is advisable to conduct regular audits to identify all personal data processing within the organization. It is best to do this unannounced. This should identify all data collected, such as names, email addresses and phone numbers.
In your responsible company, you have the role of an expert – live up to it! It is not enough to know what the law says. You should also have practical knowledge. In addition, you must be able to interpret complex regulatory requirements and provide actionable advice.
The basis for fulfilling these responsibilities is that you do your homework and have detailed knowledge of the most important terms relating to data protection.
You can be sure that attackers also use tools to cause you harm. Therefore, why shouldn’t you also use tools to prevent harm? Security Toolkit Apps for help you with your daily responsibilities. With them, you can quickly track down sensitive data, modify it, and anonymize it if necessary.
As you can see, the responsibilities and roles of data protection officers are wide-ranging. But with this overview, you will be able to successfully fulfill all responsibilities and thus your role and ensure data protection in your company without risk.
Andreas Springer _Actonic_
Head of Marketing
2 accepted answers