GDPR (5) Do you need a Data Protection Officer?

19 August 2017

There is a large chance that the Data Protection Officer (DPO) will occupy a key position in your GDPR project. This instalment of our blog looks at the types of companies that require a DPO as well as the role that the DPO plays.

The GDPR does not require that every controller designates a DPO. For a long time during the preparatory discussions, it seemed likely that the obligation to designate a DPO would apply to all companies with at least 250 employees but this goal was eventually abandoned. The obligation is now based much more on the nature of the business. If an organisation’s activities carry a real risk of serious infringements of privacy, owing to the amount of data processed, the nature of the data or the frequency of the data processing operations, the organisation must have a DPO to ensure it complies with the legislation. Certain organisations are always required to designate a DPO. This group consists of all government organisations, all companies whose core activities consist of processing special categories of personal data, and all companies or organisations whose core activities consist of regularly and systematically collecting and processing personal data on a large scale.

Even if you are under no legal obligation to do so, it is recommended that you explicitly assign the role of DPO to a specific individual, as this will ensure your company has designated a person to lead the preparations. The DPO will ensure there is a culture of data protection within your company, that the topic of data privacy is placed on the agenda and that your company is ready for the GDPR in time. The DPO will have to be given sufficient time to study the legislation and learn the ropes, after which the knowledge gained can be passed on to the rest of the organisation. And it goes without saying that the DPO plays a leading role in the GDPR project.

Requirements applying to the Data Protection Officer

Companies that have to designate a DPO must take a number of requirements into consideration. The DPO’s name and contact details must be reported to the Privacy Commission. The DPO must have expertise in the area of privacy legislation as well as a thorough knowledge of the company, its activities and the market in which it operates. He or she must also have sufficient authority and be given adequate resources to perform their task. The DPO is expected to report to senior management and therefore be sufficiently independent. Moreover, no conflicts of interests may arise. For this reason, a person with responsibilities in the area of IT will usually not be able to hold the position of DPO at the same time, since that person would have to check the security measures set up by their own team. The way in which the position of DPO is filled in practice depends of course on the scale of the organisation. At small companies, the role of DPO will not be a full-time position and so can best be combined with other tasks. It is also perfectly possible for an external person to perform the role of DPO.

The GDPR does not specify any qualifications or certificates that must be held by the DPO, nor does it indicate whether precedence is to be given to legal, organisational or technical knowledge and experience. Obviously, a certain amount of knowledge is required as a minimum even at small organisations. Besides the efforts put into accumulating knowledge, which can be made in a wide variety of ways, it is also worth investing in several days of specific training.

Group Joos designated its DPO at a very early stage, in the spring of 2016. Our DPO does not come from an IT environment, and her background is in business and compliance. She used her extensive education as a starting point and built on this by gaining expertise within our company. She has drawn up a data privacy policy, which has been discussed in detail with the management and even the Board of Directors. The text of this policy formed the basis for the remainder of the GDPR project. Within that project, the DPO is currently in charge of the assessment of personal data and data processing operations. This is a major task for a firm whose core business is the processing of confidential information.

A DPO confers an advantage

Having a DPO therefore confers a significant advantage, even if you are not legally required to have one in your specific situation. The DPO plays a role in each of the six preparatory steps that were identified in the fourth instalment of this blog.

The DPO also has important tasks to perform in other procedures relating to personal data. He or she is involved in setting up all new personal data processing operations and provides advice on risks and the data protection measures that are required. The DPO is also involved in following up incidents and data breaches, and in this context is the first point of contact for clients, data subjects and the supervisory authorities. Finally, one of the primary tasks of the DPO is to guarantee the rights of the data subjects. In this context, the DPO acts as the direct point of contact for data subjects. We will therefore come across the DPO again many times in future instalments of this blog.

The next two instalments will take a closer look at the assessment of personal data and the personal data processing records, as these form the starting point for the preparations for the GDPR for all controllers.

Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).

If you have any questions or comments, please write to us at