The GDPR under Article 37 requires organizations to appoint a Data Processing Officer (DPO) in 3 specific cases:
a) where the processing is carried out by a public authority or body;
b) where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
Reference made to the DPO guidelines issued by the IDPC.
The DPO can be internal, external or even an existing employee who is qualified to take on the function. This post will not go into the merits of what these 3 cases entail or the pros and cons of internal or external DPOs. Suffice to say that there are already enough articles about those topics already. Rather my aim is to create a job description that anyone requiring to employ or assign the role of a DPO can use a a starting point.
Instructions for use
The below is generic enough to be used across a number of organisations, but will require customisations as no one organisation operates exactly like the other. For example, instead of a risk manager your organisation might have the same duties under a different role. In addition it is worth considering what other complementary duties or responsibilities could be added to the role as well as to what is already being completed by other roles so as to avoid waste.
The team names and terminology used is based on ITIL and would need to be mapped to the equivalent function within your organization. Those parts which are highly likely to change or are simply my comments have already been highlighted for ease of use.
Job Description for a Data Protection Officer (DPO)
A data protection officer (DPO) is a horizontal leadership role whose purpose is to ensure and support the organisation to process the personal data in compliance with the GDPR.
Reporting directly to the CISO/Board of Directors, your role is to act as an independent advocate for the proper collection, use and protection of any personal data collected by the organization.
As a DPO you will be involved in all strategic and operational activities requiring the collection or use of personal data to provide guidance and advice on all matters related to data protection. In these situations you will be expected to take into account the risk associated with the processing the organisation is undertaking in relation to the nature, scope, context and purposes.
Key Responsibilities and Tasks:
- To inform, advise and issue recommendation to the various members of the organisation about their obligations to comply with the GDPR and other data protection laws;
- To provide input on legal documents such as data processing agreements.
- To provide input on supplier due diligence.
- Provide risk-based advice to your organisation.
- Participate in the Change advisory Board.
- Be a part of the Incident Response Team / Major Incidents Team and act as the point of contact for communication of data breaches with the Supervisory Authorities as well as offer consultation to all other members of the team in relation to risk mitigation and data protection.
- Provide input to Risk manager and the Information Security Manager on items related to data protection.
- Inform and advise and where necessary maintain the organisation’s data protection policies.
- to advise on, and to monitor, data protection impact assessments;
- Manage all internal data protection activities;
- Manage the assignment of responsibilities to deliver compliance with data protection laws and policies of the organization including through the resources of other teams and departments in the organization.
- To monitor and enforce compliance with the GDPR and other data protection laws, and internal data protection policies by overseeing and managing regular audits (incl. both internal and external).
- Keep up-to-date and comprehensive records of the organisations processing activities and any other records required to demonstrate compliance.
- Document of all decisions taken consistent with or contrary to any advice or recommendation provided by yourself as DPO for demonstrable accountability.
- Be the first point of contact for supervisory authorities and for individuals exercising their individual data rights.
- Foster a culture of risk awareness and data protection within the organisation by raising awareness of data protection issues and training staff.
- Quickly gain an understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the employer;
- Any other tasks and duties that may be required, so long as they don’t result in a conflict of interests with the role and tasks as a data protection officer.
Qualifications & Experience
- Certifications related to Privacy and InfoSec such as CIPP/E, CIPM, CIPT, CISA, CISM, CRISC.
- University level education with preference to courses with the faculties of Information Technology or Law.
- Fluent in both spoken and written English and Other language of choice.
- Broad business experience with an understanding of IT operations.
- Experience in managing data incidents and breaches.
- A legal, compliance, IT security/ InfoSec or audit background.
- Experience in information systems auditing preferable.
- x years of experience in a similar or related role.
Knowledge & Skills
- Knowledge of Data Protection laws and an in-depth understanding of the GDPR.
- Familiarity with privacy and security risk assessment and best practices, privacy certifications/seals, and information security standards certifications.
- Familiarity with information technology programming, infrastructure, information security practices and audits.
- Knowledge of the business sector and of the employer’s organization considered an asset.
- Ability to translate legal documents/requirements and communications into business operations and requirements.
- Ability to communicate effectively with a wide range of stakeholders such as data subjects, data protection authorities and other controllers and processors, technical and non-technical teams, across national boundaries and cultures;
- Teaching & didactic skills as well as the ability to prepare necessary material for such purpose.
- leadership and project management skills achieving stated objectives involving a diverse set of stakeholders and managing varied projects.
- Ability to make good judgements regarding data privacy risks and to prioritise resources and activity around managing those risks.
- Able to conduct the role independently and with integrity and in an ethical manner.
- Ability to establish and maintain a high degree of confidentiality, respect, trust and credibility.
- Strong team player and proven ability to lead and manage a team.
Would you like be notified when new posts come out? Drop us a note via the contact us section and we’ll add you to our mailing list.