Skills, tasks, and obligations of the DPO, the Data Protection Officer, a professional role established with the approval of the GDPR.

The protection of privacy is, at least in intention, one of the priority objectives of European institutions, and for this reason, the protection of personal data becomes a central element in achieving the objective. Within this line of action, the role of the DPO, the Data Protection Officer, has become central.

Let's find out who the Data Protection Officer is and what they do.

What does DPO or RPD mean?

DPO is literally the Data Protection Officer, a role that actually already has an Italian equivalent: it is the RPD, Responsabile della Protezione dei Dati, as reminds us of the Privacy Guarantor.

We all know him as DPO because it is a figure introduced by the new European regulation for privacy (the GDPR, another acronym).

This profession is fully part of the European Community's efforts for the protection of personal data, including the GDPR, which provides a series of regulations on the processing and circulation of personal data of natural persons.

Who is the DPO and what do they do?

But let's delve deeper: who is the DPO or RPD? What are their skills? And what are their tasks?

According to the provisions of the GDPR, this figure has expertise in regulatory matters (European, individual National, and International), knowledge in managing business processes and data flows within even complex organizations, and skills in Information Security given the strong and almost complete digitalization of data. Not least, they must possess absolute autonomy and independence in carrying out their activities. Therefore, it is a consultant with broad managerial, technical, and legal skills. They can be established internally within a company or a public entity (in some cases it is mandatory, as we will see), paying close attention to positions incompatible with the role and the personal responsibility of those assigning the task (Data Controller or Data Processor) in making a choice that does not lead to "Culpa in eligendo." The figure can also be external, as is the case in most situations, appointed through a legal contract.

It has an "internal" role, providing advice and oversight for the organization it deals with.

However, the DPO also has an "external" role, namely in liaising with the Data Protection Authority. 

The main task of the DPO is to support the so-called data controllers and processors (more precisely "Controller and Processor"): essentially, they must advise the latter to ensure compliance with current regulations and the use of appropriate technical and organizational tools.

The European Regulation specification in detail the tasks of the DPO in Article 39. Here is a non-exhaustive list:

• Knowing the provisions of the European GDPR Regulation, in addition to other privacy regulations, both national and community, in order to inform the various members of the organization involved in data processing and provide them with consultancy.
• Monitor the implementation of both the GDPR Regulation and other relevant regulations by the personnel within the organization to which they belong.
• Cooperate, as mentioned, with the authority overseeing the implementation of privacy regulations, in our case, in Italy with the Garante della Privacy, thus playing a coordinating role between the organization and the Authority, for example in cases of prior consultation as provided for in Article 36 of the GDPR or in monitoring.
• Carefully consider the risks inherent in the processing of personal data of natural persons, also taking into account the context and purposes for which they are processed.

DPO and GDPR: when it is mandatory

The role of the Data Protection Officer is not always mandatory for every type of organization. In Article 37 of the GDPR, the European regulation identify in which cases the appointment of such a figure becomes essential:

• When the processing of personal data is carried out by public entities. There is an exception: judicial authorities, in the exercise of their functions, are not required to appoint a DPO.
• In cases where the Data Controller or Data Processor of an organization carries out regular and systematic monitoring of personal information on a large scale.
• In the event that such regular, systematic, and large-scale monitoring activities involve information considered sensitive (as provided by Article 9 of the GDPR: racial/ethnic origin, political opinions, religious beliefs, genetic or biometric data, data related to health or sexual orientation, and so on) or involve information related to criminal convictions (Article 10 of the GDPR).
• Or for specific categories indicated on the guarantor's website (for example: healthcare companies, insurance, financial, IT service providers, utilities sector (telecommunications, energy distribution, gas and others), auditing firms, etc.

Come and discover the role of the DPO

Assoprovider meets in Rome on the upcoming June 15, 2022, starting at 10:00 AM. The event, titled APMPRO22, is a traveling format, the Marketplace of our organization. The meeting will focus on proposals from both members and non-members of Assoprovider, producers and distributors of solutions for TLC, Security, IoT, and Software.

During the event, it will also be possible to delve into some topics concerning industry operators. Specifically, there will be presentations on GDPR and DPO, led by Luigi Perrella, Certified DPO UNI 11697:2017, GDPR & IT Security Consultant, founder and CEO of Start Up Data Protection, and Fulvio Sarzana di Sant’Ippolito, lawyer, expert in telecommunications law, who supports Assoprovider in its legal battles.

For information and registration, visit the dedicated page: APMPR022