The tasks of the Data Protection Officer are not to be mistaken for those of the Chief Data Officer or the Information Security Officer. This article gives an overview as to what are the tasks of the Data Protection Officer.
In a nutshell, the tasks of the Data Protection Officer are about compliance with privacy rules. These rules can be either hard law such as the new EU General Data Protection Regulation (GDPR) or soft rules such as best practices as required by Corporate Social Responsibility (CSR) standards.
By virtue of GDPR, your company will likely require a Data Protection Officer if your core business activities comprise regular and systematic collection of personal information. The role of the Data Protection Officer can be given to an employee with adequate qualifications or outsourced to an external expert.
Unlike the Chief Data Officer, the Data Protection Officer is not primarily concerned with commercial use of data – although a good Data Protection Officer would take into account the needs of the business. And unlike the Information Security Officer, her primary concern would not be physical and IT data security solutions – although as part of compliance process she must be satisfied appropriate data security solutions have been put in place.
The Data Protection Officer needs to address privacy compliance at all stages of the company data processing operations. This is so because data protection equally applies to data collection, data analytics, data storage and onwards data transfers. In addition, the Data Protection Officer needs to deal with privacy risks and data protection impact assessment.
Compliance of data collection processes
Personal information can be collected directly from your customers, prospects or employees, or it can be obtained via a third party. In either case, the Data Protection Officer will need to look into such procedures and determine whether they comply with the data protection law. Where they do not, the Data Protection Officer would determine what needs to be done in order to achieve compliance. This could include the obtaining of the individuals’ consent for the processing of their personal information, or adapting the data processing purpose.
Ensuring purpose-specific data use
From personal data analytics to direct marketing, the Data Protection Officer needs to be satisfied that any use of personal data complies with the purpose limitation principle. Purpose limitation means that personal data is used for the purpose for which it has been gathered. One should note that the GDPR allows for some exceptions to the principle of purpose limitation, notably if the data in question has been pseudonymised. Such exceptions would be taken into account by the Data Protection Officer.
Keeping the Privacy Policy up to date
A company processing personal data should maintain a Data Protection Policy or, under a different name, a Privacy Policy. One can have separate policies for customer data and employee i.e. HR data. Moreover, a Data Protection Policy may comprise different layers, from a notice of consent shown to the customer upon data collection to a complex document describing in detail company data processing operations. The Data Protection Officer would normally be the owner of any such documents and would need to make sure they are kept up to date and in line with the actual activities.
To find out more about the tasks of the Data Protection Officer, notably in relation to data protection impact assessment, data storage and data exports, sign up to Aphaia’s Knowledge Centre library to read our full White Paper on the topic.
