What does being a data protection officer (DPO) involve?
The role of data protection officer (DPO) in an organisation is to make sure all personal data is compliant with relevant rules and regulations. This professional will have expert knowledge of data protection law and practises, such as articles 37, 38 and 39 of the European Union General Data Protection Regulation (GDPR), and instigate processes to ensure data is protected in line with this legislation.
Not all organisations need a DPO, but those that do must meet the legal requirements when hiring one. As the position must be independent of the business, giving the responsibility to someone with a conflict of interest can be the biggest challenge.
Data protection officer responsibilities and tasks
The DPO is responsible for all internal data protection and as such must report directly to the highest management level on all data processing activities. Ensuring the company meets all data protection obligations includes:
- Advising employees on how to work with personal data in a compliant and responsible manner.
- Ensuring internal data protection policies and procedures are in place.
- Monitoring the organisation’s compliance with GDPR.
- Assigning responsibilities to protection officers.
- Awareness training for staff.
- Determining if data protection impact assessments (DPIA) are necessary.
- Conducting a DPIA if required and outlining the expected outcomes.
- Being the contact point for data subjects in case they have any queries or concerns.
- Liaising with supervisory authorities on all areas of data protection.
- Reporting any data breaches to the Information Commissioner's Office (ICO).
Qualifications for becoming a data protection officer
There are no specific qualifications required to apply for a job as a DPO, but a certain level of expertise in areas surrounding data is generally expected. DPOs can be hired from external candidates or existing employees can move into the role, as long as there is no conflict of interest over the protection of personal data.
The professional qualities of a DPO include:
- Expert knowledge of data protection law.
- Experience in handling data and the processes that make good practice.
- Credentials in line with the level of data protection required.
- In-depth knowledge of your industry.
- Ability to complete large scale processing of data relating to criminal convictions and offences.
Data protection officer salary
In the UK, the average data protection officer salary is £52,269 annually, according to Glassdoor. This figure is based on 119 anonymously-submitted salaries and doesn’t take additional cash compensation into account, which can range from £3,035 to £12,251.
The salary you can expect to command will depend on a number of factors, including your expertise with data and years of experience. Another thing to consider is whether the organisation you’re applying to is in the public or private sector, as both types of business require data protection officers.
GDPR data protection officer
Not all organisations require a DPO, but there are certain criteria under Article 37 that mean a GDPR data protection officer must be appointed. They are:
- The organisation is a public authority or body.
- Its core activities include the large-scale processing of data relating to individuals, which requires regular and systematic monitoring.
- Its core activities consist of large-scale processing of special categories of data. These include personal information on:
- Health
- Religion
- Race
- Sexual orientation
- Criminal convictions and offences
Even where organisations are not mandated to have a GDPR data protection officer under these criteria, it’s seen as best practice to voluntarily appoint a DPO. Both GDPR representatives and DPOs should have a high level of expertise and the professional qualities laid out above.
What's the difference between GDPR representatives and DPOs?
While many of the responsibilities of GDPR representatives and DPOs are the same, the main difference between the two roles relates to jurisdiction. A DPO is tasked with reviewing the business’s data protection strategy and implementing it in a way that complies with GDPR.
A GDPR representative acts as a bridge between the business and its customers or privacy authorities in the jurisdictions where the company does business, but doesn't have an establishment. They’re not responsible for GDPR compliance.
GDPR representatives are needed when a business has no physical operating presence within the jurisdiction where it processes data on subjects. They guide people in the right direction, as opposed to DPOs, who tackle compliance directly.