According to the GDPR, it is mandatory for many companies to designate a Data Protection Officer (DPO). In fact, the majority of companies could benefit from designating a Data Protection Officer. The processing of personal data involves liability risks, and not complying with the data protection regulations can result in severe penalties. In addition, the regulations of the General Data Protection Regulation (GDPR) are often complex.
A Data Protection Officer takes over the administrative tasks for you and ensures that you are legally on the safe side.
What you need to know in a nutshell
- The Data Protection Officer ensures compliance with legal requirements related to data protection.
- Data protection consulting can reveal security holes in IT, prevent data breaches, and avoid fines.
- Companies can designate an in-house Data Protection Officer or an external DPO.
- Both variants have advantages and disadvantages, such as costs, protection against dismissal, and liability.
In this article
- What is a Data Protection Officer?
- Since when do companies need a Data Protection Officer?
- Which companies must designate a Data Protection Officer?
- What does the topic of data protection consulting involve?
- Which requirements do Data Protection Officer have to meet?
- What are the differences between an external and an in-house Data Protection Officer?
- How do I find a Data Protection Officer?
- Designating a Data Protection Officer?
- How is a Data Protection Officer dismissed?
What is a Data Protection Officer?
The Data Protection Officer (DPO) is an expert in company data protection. They take care of GDPR compliance and the proper handling of personal data such as location, account data, or health information. This includes the secure collection, processing, and deletion of information.
Moreover, they work closely with the competent supervisory to ensure a smooth and compliant process.
DPO’s are also responsible for data protection consulting within the company, making them the ombudspersons for all issues relating to data protection, as well as direct advisors to the management team. They train the relevant employees in data protection on the compliant handling of personal data in accordance with the GDPR. The DPO also provides information on the possible courses of action in the event of a data protection breach.
According to statutory provisions, a data protection officer may be requested externally and may also be designated internally within the company. The external Data Protection Officer should have a certain amount of expertise and, if possible, work with an experienced team so that your employees have a point-of-contact at all times. An in-house Data Protection Officer, on the other hand, should have basic knowledge in the fields of law, IT, and business administration, and must continue their education and training in order to continually meet the legal requirements. It’s also important to note that not every employee can be designated as the in-house Data Protection Officer.
Since when do companies need a Data Protection Officer?
According to the GDPR, designating a Data Protection Officer has been mandatory for certain companies since the regulation was introduced in 2018. You can read about this in Article 37 of the General Data Protection Regulation. It calls for the mandatory appointment of a DPO at every organization that processes or stores personal data for EU citizens. DPOs must be “appointed for all public authorities, and where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data,’” such as race, ethnicity, or religious beliefs.
The intention of these provisions is to ensure that personal data cannot be collected, stored, processed, or passed on to third parties without the consent of the data subject or a legal basis. Since the new General Data Protection Regulation, data protection has played an even greater role than ever in day-to-day business operations.
According to the EU GDPR, the obligation to designate a Data Protection Officer affects companies with a certain number of employees who deal with the automated collection and processing of personal data. This is not the case in the UK GDPR.
In the rare case that you are not affected by the designation obligation in accordance with Article 37 GDPR, you are not obligated to designate a Data Protection Officer.
Fines for disregarding the designation requirement
If you are subject to the obligation to designate a DPO and fail to do so, you may have to pay a fine. According to Article 83 of the General Data Protection Regulation, fines of up to ten million euros (approximately £9 million) or a maximum of two percent of annual turnover (turnover from the previous year) may be issued to you as a penalty for non-compliance with the GDPR.
Which companies must designate a Data Protection Officer?
If your company regularly processes sensitive personal data, you need to designate a Data Protection Officer. This is prescribed by law (Article 37 GDPR).
The same applies to companies whose primary activity is the collection and processing of personal data. This affects for companies in the health sector, but also companies that use personal data for business purposes. These include market and opinion research institutes. For these companies, the number of employees who work with the data is irrelevant, even start-ups that only employ a few people can be affected.
Moreover, it is possible that companies that must regularly and systematically monitor people due to their activities are affected by the obligation to designate a DPO.
Do I have to designate an external Data Protection Officer?
If your company is subject to the designation obligation, it is irrelevant whether your Data Protection Officer is an external person or an in-house Data Protection Officer. However, the person designated must be properly suitable in each case.
If you conclude that you do not have to designate a Data Protection Officer according to the GDPR, you should document the reasons for this in detail. In case of doubt, the burden of proof lies with you. A Data Protection Officer in accordance with the GDPR is beneficial even if you do not require one under the statutory stipulations.
The biggest advantages of a designation are the legally compliant handling of the personal data of customers, employees, and partners, as well as the avoidance of data breaches and associated subsequent fines. The seemingly high investment in a DPO pays off quickly if you can permanently avoid the severe penalties for violations.
What does the topic of data protection consulting involve?
Data protection consulting is about making your company and all employees who handle these data aware of the lawful handling of said data. The Data Protection Consultant acts as an ombudsperson and primary point of contact, ensuring compliance with data protection regulations in accordance with the GDPR. .
For example, the DPO takes care of the storage and processing of personal data from customers, employees, and partners. They implement technical and organisational measures (TOM) that contribute to the security of the data collected and train employees in handling data protection programs and processes.
In most cases, they also take on other tasks, such as supporting the documentation on the processing of the data and acting as a link between the company and the supervisory authority (the Information Commissioner’s Office). They can also evaluate existing protective measures in the data protection area and adapt them if it’s needed. If there is a data breach, the Data Protection Officer is the direct contact person for further steps and will check which countermeasures are necessary and advisable. In addition, the Data Protection Officer can offer workshops and training courses for the staff to prevent such data breaches.
DataGuard offers additional services
Offering additional services that your company can benefit from is nothing new for DataGuard. Using machine learning, our web-based data protection platform automates tedious routine tasks for you and your team. It also allows you to view your company's current data protection status and access important documents at any time. The platform also serves as a fast communication channel to your supervising expert. Conversely, our diverse team will always have a suitable contact person available to help with any data protection issues you may have.
Which requirements do Data Protection Officers have to meet?
According to the GDPR, there are no legal requirements or guidelines for working in data protection consulting. This does not automatically mean that every employee in the company or alleged legal expert is suitable to be a data protection consultant. Article 37(5) GDPR states:
“The Data Protection Officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices[...]”.
Thus, a certain specialist knowledge and/or further training in the field of data protection law should be present and verifiable.
Criteria for an external Data Protection Officer
In addition to completing appropriate training, other factors to consider prior to hiring an external DPO include:
- Specialisation: No one is equally good at everything, so the external Data Protection Officer of your choice should be an expert in their field – consider any certificates they may have in this regard.
- Competent team members: Ideally, the Data Protection Officer will work with a diverse team so that they can, for example, consult with an IT expert or an expert on legal matters. This means that you always have access to a team with the right experience for your business.
- Work history: Find out how satisfied previous companies are with the Data Protection Officer and get references.
- Programs and tools: It is not always worth familiarising the DPO with the company’s internal IT systems. If the external data protection consultant brings their own programs or helpful tools with them, they can start immediately and provide valuable tips for everyday practice.
Criteria for an in-house Data Protection Officer
If you decide to designate an in-house DPO who is already employed at your company, you may not select anyone in a management position or even from the management team due to possible conflicts of interest. Solicitors of the company are also taboo.
You should designate someone who is reliable and diligent. Trust also plays an essential role here. It is best to choose an employee who has been with the company for a long time and who you genuinely trust. In addition, the person should be well-versed in the areas of data processing, technology, and business administration, as well as law and data protection. If necessary, any gaps in knowledge must be filled by means of further training.
What are the differences between an external and an in-house Data Protection Officer?
According to statutory provisions, a Data Protection Officer may be an external person or an in-house Data Protection Officer. You can find the former easily with experts like DataGuard. You will find the in-house DPO in your own ranks, because this is an employee who works at your company.
Both options have advantages and disadvantages. In our table, we show you how an in-house and an external DPO score points in the different areas of designation, training period, trust, skills, neutrality, liability, costs, and termination/dismissal.
Prior to hiring a Data Protection Officer, whether in-house or external, consider weighing the pros and cons above to tailor your decision based on your company's needs.
How do I find a Data Protection Officer?
Finding an in-house Data Protection Consultant should be done quickly. Only a select group of employees will meet all the criteria. This small group includes persons who have been with the company for a long time and are trusted by the management team. However, colleagues in management positions or employees who are involved in corporate earnings are excluded.
“With a variety of trusted company's and resources, you can also find an external DPO promptly – like , for example. You benefit from the fact that a team of specialists is behind the DPO, answering all your relevant questions about data protection. If you are looking for a DPO, you should pay attention to certificates and reviews as well as existing references. DataGuard, for example. You benefit from the fact that a team of specialists is behind the DPO, answering all your relevant questions about data protection. If you are looking for a DPO, you should pay attention to certificates and reviews as well as existing references.
Designating a Data Protection Officer
You must officially appoint the Data Protection Officer as soon as data protection consulting is due to begin. Additionally, you must specify the in-house DPO in writing via a so-called designation certificate. There are no specifications regarding the content of this certificate. However, we recommend listing data such as the name and current position of the employee, the date of designation, and their areas of responsibility as the DPO. You should also mention why you selected this employee as the DPO and refer to a legal basis.
If you designate an external Data Protection Officer, this will be done through an independent contract. A contract term of a maximum of two years is common for the initial designation – this way, you can check whether the DPO is meeting your requirements. Thereafter, a common term is four years. You can also issue a designation certificate for the external DPO. The layout of this certificate is similar to a designation certificate for an in-house DPO.
As soon as you have designated a DPO (in-house or external), you must provide the responsible supervisory authority with the contact details of the designated person. From this moment , they are the official contact person for all data protection matters.
How is the Data Protection Officer liable in the event of damage?
An exemption from liability for the company is usually stipulated in the contract of the external DPO. Pay attention to the corresponding information in the contract. This means that in the event of damage – whether due to negligence or intent – the company is not liable- provided that the company has not decided on its own authority against the advice of the Data Protection Officer. This is different for an in-house Data Protection Officer.
The in-house DPO is only liable in the event of gross negligence or intent. The company must prove that the in-house DPO was grossly negligent or had intent. In all other cases, the company is solely liable or shares the damage with the in-house DPO.
How is the Data Protection Officer dismissed?
In-house and external DPOs each hold different protections against dismissal. The in-house DPO can only be dismissed if they grossly neglect their data protection obligations or, for example, do not regularly take part in important training courses. The dismissal of the data consultant only means the release of their duties as an in-house Data Protection Officer – they cannot therefore be fired.
With an external DPO, termination/dismissal is regulated in the contract. You can also dismiss the external DPO without compelling reasons in accordance with the notice period and designate a new DPO.
Since the introduction of the GDPR, the designation of a Data Protection Officer has been mandatory for many companies. This individual is hired to advise the company, check data security, and issue instructions if data protection regulations are violated. It is possible to designate an in-house Data Protection Officer from within your own ranks, but in most cases, it is worth designating an external data consultant.
In some cases, companies that are not required to have a DPO by law can also benefit from the advantages of designating one. DataGuard offers you an experienced team of experts who will reliably support you in data protection issues.
Do you have any questions about compliance with the GDPR or are you looking for an external Data Protection Officer?
At DataGuard, certified experts are at your disposal, and at eye level.