Resource Center / Tools and Trackers / DPO Job Description
DPO Job Description
The IAPP developed this sample DPO job description to provide guidance and insights on some of the necessary components for a DPO appointment.
Published: February 2017
The EU General Data Protection Regulation sets out a mandate for certain organizations to appoint a Data Protection Officer — the IAPP has estimated this will translate to 75,000 DPOs across the globe. Cobbling together information from the GDPR and Article 29 Working Party guidance, the IAPP has developed this sample DPO job description. Of course, the DPO is not a one-size-fits-all role, but the official guidance provides insight on some of the necessary components for your appointment. This description is intended to be a jumping off point for you to create one that fits the needs of your organization.
First, a few important things about where the responsibilities of the DPO end and those of the organization begin:
- The employer remains responsible for compliance with data protection law and must be able to demonstrate compliance.
- DPOs must not be instructed how to deal with a matter, what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority; they must not be instructed to take a certain view of an issue related to data protection law, for example, a particular interpretation of the law.
- DPOs should be free from conflicts of interest; they cannot hold a position within the organization that leads them to determine the purposes and the means of the processing of personal data or that otherwise creates a conflict.
- Controllers or processors should:
- identify positions which would be incompatible with the DPO function;
- draw up internal rules to avoid conflicts of interests;
- declare that the DPO has no conflict of interests with regard to function as a DPO, as a way of raising awareness of this requirement;
- include safeguards in the internal rules of the organization and to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests.
Expertise and Professional qualities
- Expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR;
- Years of experience in data protection program management commensurate with the sensitivity, complexity and amount of data the employer processes;
- Integrity and high professional ethics;
- Ability to handle information and business affairs with secrecy and confidentially as appropriate;
- Demonstrated leadership and project management experience;
- Ability to communicate effectively with the highest levels of management and decision-making within the organization;
- Familiarity with privacy and security risk assessment and best practices, privacy certifications/seals, and information security standards certifications;
- Sound understanding of and familiarity with information technology programming and infrastructure, and information security practices and audits;
- Ability to communicate effectively with data subjects, data protection authorities and other controllers and processors across national boundaries and cultures;
- Adequate self-awareness and confidence to acknowledge knowledge gaps and seek to fill them from reliable sources;
- Knowledge of the business sector and of the employer’s organization;
- Sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the employer;
- In the case of a public authority or body, the DPO should also have a sound knowledge of the administrative rules and procedures of the organization.
Tasks
- Inform, advise and issue recommendations to the employer regarding GDPR compliance;
- Foster a data protection culture within the organization and help to implement essential elements of the GDPR, such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing, and notification and communication of data breaches
- Advise the controller/processor regarding:
- Whether or not to carry out a data protection impact assessment,
- What methodology to follow when carrying out a DPIA,
- Whether to carry out the DPIA in-house or outsource it,
- What safeguards (including technical and organizational measures) to apply to mitigate any risks to the rights and interests of the data subjects,
- Whether or not the DPIA has been correctly carried out and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with the GDPR;
- Maintain the record of processing operations under the responsibility of the controller as one of the tools enabling compliance monitoring, informing and advising the controller or the processor;
- Document all decisions taken consistent with and contrary to DPO’s advice;
- Offer consultation once a data breach or other incident has occurred.
Ability to fulfill tasks
- Adequate and regular ongoing training;
- Self-starter and ability to act independently.