DPO or Data Protection Officer: figure explanation


The introduction of the DPO figure does not represent a news for itself. It is not a completely new professional figure even though his presence was not mandatory. Who is the Data Protection Officer? He/She is a professional with specific skills in laws and best practices concerning data protection.

Do we need a DPO?

There are several scenarios where a DPO is mandatory and he/she is systematically nominated by the owner of the processing operations or by the responsible for the processing operations in three specific occasions:

  1. When a public authority runs the processing operations (except from the operations ran by courts)
  2. When the processing operations consist and require the regular and systematic monitoring of the data subjects on a large scale
  3. When the processing operations concern, on a large scale, sensitive data or data related to criminal convictions or felonies.

In all the different scenarios is up to the owner of the processing operations and the responsible for the processing operations whether to choose a DPO or not. Moreover, these figures can delegate an external source such as an association or a third party that can appoint a DPO.


What are the skills of a DPO?

A DPO must prove his/her skills and professional qualities. Basically, the owner of the processing operations / responsible for the processing operations need to consider his/her preparation in data privacy and data processing, both on a theoretical and a practical field. A DPO can be chosen amongst the employees of the data controller. In addition, we can choose a freelance or an independent contractor. Anyway, the data of the DPO must be disclosed to data subjects and communicated to the competent control authority.

The responsibilities of a DPO

According to Article 39 of the GDPR ( GDPR guide ) a DPO has several tasks:

“The data protection officer shall have at least the following tasks:

  1. to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
  2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  3. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
  4. to cooperate with the supervisory authority;
  5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.”


A DPO and the right protection tool

In order to assure to your business the best tool available, Swascan together with Raoul Chiesa ( Raoul Chiesa interview ) developed a special cybersecurity platform. It is completely in Cloud, Pay per Use and SaaS. You can see for yourself in our brochure: Cybersecurity platform and have an in-depth look at our services. Our four services cover all the governance needs in terms of risk management and periodic assessment. Basically, the right tools to understand your focus areas are Vulnerability Assessment, Network Scan, Code Review and GDPR Assessment. Last but not least, don’t forget GDPR: our platform is 100% GDPR compliant ( GDPR infographic ).

MacOS High Sierra: a vulnerability issue
Meltdown and Spectre: the new faces of cybersecurity

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.