4 Tasks DPOs Must Perform Under GDPR
EU Data protection law mandates that the DPO must fulfil certain obligations and tasks. This includes:
- Informing and advising the company and staff about their legal obligations.
- Monitoring the company’s compliance with data protection law and policies, including monitoring how responsibilities are assigned, levels of awareness and training that has been provided to staff, and the results of audits.
- Where requested by the origanisation, advising on data protection impact assessments and monitoring operational aspects of associated processes.
- Cooperate with the supervisory authority (e.g. the ICO) and act as a contact point for them.
The organisation must not ask the DPO to complete tasks that could result in a conflict of interests. For example, the DPO couldn’t define security controls and then carry out their duties to monitor whether those controls are deemed compliant.
The DPO must be in a position to perform their duties and tasks in an independent manner.
The DPO’s priorities and level of activity should be based on the underlying level of privacy risk, considering the nature, scope, context and purposes of any processing.
The DPO is required to provide advice and assurance, but is legally not directly or personally accountable for the company’s data protection, in the way that a MLRO is for anti-money laundering.