This month, we shall focus on discussing the position a data protection officer occupies within an organisation.
.
The DPO is a member of the organisation and has the responsibility to ensure data protection compliance within the organisation. The role is such that the DPO should be allowed to perform his duties independently. The nature of the DPO’s role is such that it ensures that management decisions which would affect the personal data of data subjects do not violate data protection laws. Therefore, the DPO, as a matter of necessity, must report to the highest level of management.
The EU has established certain rules which expressly provide that;
- the DPO shall not receive any instructions regarding the performance of her duties;
- There must not be a conflict of interest between the individual’s duties as a DPO and her other duties. To avoid conflict, it is ideal to outsource DPO services instead of using in-house staff.
- a DPO should not also be a controller of processing activities (for example, if they had another team, like project management or human resource)
- If the DPO is a staff, they should not be an employee on a short or fixed-term contract
- a DPO should not report to a direct superior but to top management.
- a DPO should have responsibility for managing its own budget.
The organisation must offer staff and resources to support the DPO in carrying out her duties. In this respect, DPOs in EU institutions and bodies can be seconded by an assistant or deputy DPO and rely on data protection coordinators (DPCs) in each section of the organisation. Access to resources also includes training facilities.
The DPO should have the authority to investigate. In EU institutions and bodies, for instance, DPOs have immediate access to all personal data and data processing operations; those in charge must also provide information in reply to her questions.
A minimum term of appointment and strict conditions for dismissal must be set out by the organisation for a DPO. In the EU institutions and bodies, the DPO is appointed for a period between three and five years, may be reappointed and can be dismissed only with the consent of the EDPS.