We’ve recently been getting asked the question: What is a Data Protection Officer? This is a sign of just how much interest there is in the position of the Data Protection Officer. Organisations, both in the European Union and outside, have indicated that they want to know how to deal with this position in their organisation.
What is a Data Protection Officer?
A Data Protection Officer is basically a compliance officer dealing with the data protection issues that an organisation faces. Their job is to help an organisation protect the data it processes. There are a range of issues that fall under the sphere of data protection and all of these need your attention if you are a Data Protection Officer.
- The Data Protection Officer job requires you to be well aware of relevant laws and to raise awareness of those laws within the organisation.
- You must help the organisation with data protection compliance by formulating strategies, policies, and establishing practices.
- You must look into the risks that data processing can expose an organisation to and help the organisation in their attempts to avoid those risks.
But they should not be looked at as saviours in the organisations they work for. They do not have super-human abilities that help them make the impossible happen. They do their jobs by reporting directly to management and continually receiving all the necessary resources and support that the organisation can afford to give them, to carry out their functions. Organisations cannot make Data Protection Officers’ jobs harder by not respecting data protection laws and still expect them to come to the rescue or be liable when the organisations are in legal trouble.
They are not personally responsible for data breaches.
The Board’s Guidelines on Data Protection Officers emphasise that Data Protection Officers “are not personally responsible in case of non-compliance with the GDPR,” and that they need all the help they can get to ensure their organisation’s compliance.
How is an Information Officer under POPIA different?
An Information Officer under the Protection of Personal Information Act and the Promotion of Access to Information Act is very similar to a Data Protection Officer. They have a generally very similar main task: Help the organisation process data lawfully. There are a few key differences, however, such as the fact that POPIA requires all organisations to appoint one, while the GDPR only requires certain organisations to do so. Another requirement that’s different is that, under POPIA, the CEO of an organisation is by default the information officer until someone else is appointed, whereas the GDPR doesn’t have such a requirement. An organization also has to register the information officer with the Information Regulator, whereas the GDPR simply requires that the Data Protection Officer give the supervisory authority their contact details.
Actions you can take
- Answer the question “what is the GDPR,” and understand what it requires from your organisation by attending a GDPR workshop or sending us all your questions.
- Empower yourself to deliver on all the duties of the Data Protection Officer job with our help.
- Subscribe to the Michalsons newsletter to receive future updates.