The Day-to-Day Work of a DPO

The concept of the Data Protection Officer or DPO was already known before the GDPR was introduced. However, with the coming into force of Europe’s main personal data protection framework, the role of the DPO has become more important for both large companies and emerging startups. 

The GDPR reveals the following aspects of this concept:

• situations in which cases a DPO should be appointed; 
• peculiarities of the position of the DPO, e.g. the level of their involvement and the availability of appropriate resources. 
• the list of the tasks of the DPO.

Predominantly, the day-to-day work of a DPO consists of carrying out tasks described in the GDPR. Let us explain in more detail how a DPO can perform such functions from a practical point of view.

Informing and advising

One of the DPO’s tasks is to inform and advise companies and their employees of their obligations under the GDPR. For example, if the company’s employees collect data from a data subject during their duties, the DPO should inform them about the rules they must follow during such activities.

Monitoring compliance

A critical task of a DPO is monitoring compliance with applicable requirements. In the case of GDPR, DPO needs to monitor compliance with GDPR and local data protection requirements. Given that many projects currently operate in many countries worldwide, a DPO needs to monitor the requirements in all countries where their company operates, which is a challenging task.

Advice regarding the DPIA

The GDPR specifically mentions the task of the DPO to advise regarding data protection impact assessments and monitor their performance. Companies must carry out a data protection impact assessment when processing may entail high risks for the people whose data is processed, especially in the context of using new technologies.

For example, this may be relevant now, when with the development of artificial intelligence, more and more companies are using it, including when processing personal data. Companies should then consider the necessity of this procedure. An experienced DPO can advise on whether it is necessary to carry out this procedure and, if so, can support it during its performance.

Cooperation and acting as a contact point for supervisory authorities

The DPO’s tasks are to cooperate with the supervisory authority and act as a contact point. That is, if the supervisory authority needs to contact the company regarding any of the issues they are interested in regarding compliance with GDPR, they will most likely contact the DPO. In such a case, the DPO must ensure cooperation with the supervisory authority.

Other tasks of the DPO

Although the GDPR clearly states which tasks a DPO must perform, this list is not exclusive. Accordingly, the DPO may be assigned several other duties depending on the situation. For example, a DPO can perform the following tasks during its day-to-day work: 

• advise on the implementation of appropriate technical and organisational measures to ensure the security of personal data;
• support in the development of policies to prevent security incidents, as well as other information security policies;
• support in the development of policies regarding the processing of data subjects’ requests and providing assistance in realising their rights;
• conducting internal training both to increase the general level of awareness of personal data protection and to conduct specialised training for particular specialists, including with the involvement of external experts;
• assistance in assessing contractors to which personal data may be shared from the point of view of their capacity to carry out secure processing of personal data;
• promote the “privacy by design and by default” principle and ensure that it is implemented in the development of new products;
• assisting in other privacy-related activities.

So what is it like to be a DPO?

To summarise, the day-to-day activities of DPOs consist of various tasks, both those that, for example, are stipulated by the GDPR and those that may be determined by the company depending on the specific situation.

To perform these tasks effectively, the DPO must have a high level of expertise that enables them to advise on the applicable obligations and monitor compliance with the GDPR and other regulatory frameworks.

Also, the role of a DPO requires continuous professional development in privacy because of constant changes in technologies and regulatory requirements. Therefore, a DPO should always be aware of the latest developments in data protection and privacy.