Three Myths About a Data Protection Officer

A Data Protection Officer’s (DPO) role may not seem glamorous but they are considered crucial in today’s digital environment. The COVID-19 pandemic has changed the global economy in unprecedented ways and has proven that digitalisation is the way to go for businesses that want to survive the current economic environment.

Nowadays, data protection officer courses have been created to help DPOs, staff, and management accelerate their learning journey so they can carry out their jobs better.  A data protection course can also help those organisations that want to strengthen their data protection practices.

Tasks of a Data Protection Officer

The acronym GAPSR best summarises the tasks of a DPO. The DPO’s primary task is to assist the organisation when it comes to governing how personal data is used, disclosed, stored, and collected according to the requirements of the Personal Data Protection Act and other relevant data protection laws.

Looking at things from the operational perspective, some of the responsibilities of the DPO include:

  • Assessing the risks that relate to the processing of personal data. This includes performing a data protection impact assessment (DPIA).
  • Protecting the organisation by creating a data protection management programme (DPMP) against identified risks. This also includes the implementing processes and policies for handling personal data.
  • Sustaining the compliance efforts by communicating personal data protection policies to stakeholders. This also includes conducting audits and training. This also includes the ongoing monitoring of risks.
  • Responding and managing queries and complaints related to personal data protection. DPOs are also responsible for liaising with local or international data protection regulators especially in the event of a data protection breach.

Three Myths About Data Protection Officers

There are several myths and misconceptions about the data protection officers. Below are some of the most common myths and the truths behind them:

Myth #01: DPOs need to be a compliance or legal officer.

DPOs don’t need to be compliance or legal officers. However, they should be experts in relevant privacy or data protection practices and policies. DPOs should also have ample understanding of the processing operations carried out by the PIP or PIC including information systems or data protection needs. Knowledge of the field or sector of PIC or PIP as well as the processes, policies, and structure is also beneficial.

Myth #02: DPOs need to know IT extensively.

DPOs don’t need to be IT experts. It is important to remember that DPOs have various other roles. Some of the roles of DPOs include:

Educating employees and organisations on the importance of compliance requirements.

Carrying out audits to address potential issues and ensure compliance.

Training staff involved in data processing.

Serving as point of contact between GDPR Supervisory Authorities and the organisation.

Providing advice and monitoring the impact of data protection efforts.

Interfacing with data subjects and informing them about the data that is being used, their rights to have personal data deleted, and the measures companies have put in place to protect personal information.

Maintaining a comprehensive record of all the data processing activities conducted by the company including the processing activities which need to be made public on request.

Myth #03: Only legal or IT experts can become DPOs.

There is no truth to this. DPOs don’t need to be IT or legal experts. However, they need to have expertise in data protection laws and a thorough understanding of the IT infrastructure, technology, and the technical structure of the organisation. That said, it is possible for an existing employee to be designated as DPO.

DPOs can also be hired externally. Organisations and companies often prefer those that can manage data protection and compliance internally while ensuring non-compliance is reported to the proper supervisory Supervisory Authorities. DPOs should also be independent and reliable, with no prior commitments that can interfere with their responsibilities.