What a DPO is. And what a DPO isn’t.
Adviser, evangelist, assessor, critic, facilitator: this is what the GDPR expects from the DPO. The closest analogy is a non-executive director (NED) with specific responsibility for data protection.
Like the NED, the DPO provides a creative and informed contribution. Like the NED, the DPO takes responsibility for monitoring the performance of the executive team in achieving the company’s (data protection) strategy and objectives.
Like the NED, the DPO is not part of the executive: the DPO is not responsible for the execution of data protection within the organisation. Which, interestingly, is where a number of organisations get it wrong: they expect the DPO to be head of data protection compliance. However, it’s clear (well, clear-ish) from the GDPR that the DPO’s primary role is to monitor, advise and cajole: unlike the NED, it’s not the function of the DPO to take decisions for the company.
The DPO is also, like the NED, independent. To quote the GDPR, the DPO shall not “not receive any instructions regarding the exercise of those tasks”. Like the NED, the DPO must not put himself in a position which conflicts with his or her independence. In practice, this makes it difficult for the DPO to also hold down a senior position in the executive. He or she can’t easily be the CIO, CTO, CMO (or any member of the C suite) or have a place on the Board.
Here’s what the GDPR expects from the DPO:
the organisation and its employees of their data protection obligations.
with the ICO as a facilitator.
the organisation’s compliance with data protection regulation and with its data protection policies.
as the contact point for the ICO, and to consult, where appropriate, with regard to any other matter.
where requested as regards DPIAs, and monitor the execution of DPIAs.
to any questions or complaints addressed to the DPO, in particular from individuals.