In certain cases, companies have an obligation to appoint a data protection officer. This obligation applies both to companies that process data themselves and to companies that process data from other companies. The data protection officer must also be recruited or outsourced by public authorities.
The role of a data protection officer, or DPO, can be fulfilled in several ways.
- the company / organization employs a full-time DPO;
- the company / organization purchases the DPO as a service. In other words, DPO is a legal entity outside the company or organization. In this case, the DPO contacts of the external legal entity are the DPO contacts of the company.
What are the tasks of a data protection officer?
- inform and advise the controller or processor and the employees processing personal data regarding their obligations under the General Data Protection Regulation and other data protection rules and laws of the European Union or the Member States;
- monitor compliance with the principles of personal data protection, including the division of responsibilities; raise awareness, including training, of staff involved in the processing of personal data;
- advise on and monitor the functioning of the data protection impact assessment;
- to co-operate with the supervisory authority and to be the contact person for the supervisory authority in matters concerning the processing of personal data.
The data protection specialist is familiar with data protection legislation, standards, certificates and practices at expert level. He/she assists and controls the data controller in complying with the requirements for the processing of personal data.
Competences / skills of a data protection officer
DPO must know:
- information security principles and cyber security technologies;
- the company's values and goals, including vision, mission and strategy, internal and business processes, work organization rules, procedures and guidelines;
- European Union and Estonian data protection law and legislation necessary for the operation of the enterprise or organization or institution, which regulate the field of activity of the organization more narrowly (for example, the Cyber Security Act, the Public Information Act);
- principles and methods of data analysis and profiling, including pseudonymisation and anonymisation and encryption;
- frameworks and methods for risk analysis and risk management, including frameworks and methods for conducting data protection impact assessments;
- EU and national legislation, case law, opinions and guidelines of data protection authorities.
- implement default and integrated (integrated) data protection principles;
- identify and document personal data breaches, data leaks and cyber incidents.