The tasks of data protection officers

Since the introduction of the General Data Protection Regulation (GDPR), the organizational structure of companies and public authorities has changed fundamentally regarding their protection of personal data. For example, the GDPR more clearly delineates the tasks of the individual bodies, and data protection officers have become more important. The protection of data of natural persons is in the foreground.

But what are the tasks of data protection officers? How can companies ensure that such tasks meet the requirements of the GDPR? In this article, we answer the most important questions about the topic.

The most important facts at a glance

• Internal and external data privacy officers advise the responsible bodies (companies or authorities) and support them in implementing data privacy regulations within the company.
• External or company data privacy officers are contacts inside and outside the company: they advise not only employers, involved employees, and, if applicable, the works council, but also their customers and contractual partners. They also work closely with the supervisory authority.
• The data protection officers’ tasks also include providing further training for employees in the response body. They are integral to data protection training courses in which employees learn more about data protection regulations.

Are companies required to appoint a data protection officer?

Before the restructuring of the GDPR, data protection officers were also responsible for operational tasks; since the reorganization, they’ve only had the job of supporting the responsible bodies in their data protection tasks. On the other hand, the responsible bodies have to ensure that data protection is effectively implemented, demonstrably organized, and sufficiently monitored.

Although according to the GDPR, there is no legal obligation to name a data protection officer in most cases, it can make much sense to seek external support in the performance of data protection requirements. Each company must decide whether it needs an external or an in-house data protection officer for this purpose. In another article, we listed the advantages and disadvantages of both options. 

The company or authority must also function and be effectively monitored without a data protection officer. Data protection officers can act as a “small supervisory authority” and assume an advisory role within the company or authority. Their task is to develop and implement monitoring concepts with the responsible body.

What does the GDPR require from companies?

Most companies and public authorities are affected by challenges concerning data protection. In the digital age, automated processing of personal data occurs in almost every company. The resulting data protection obligations are the starting point for the GDPR: The aim is to ensure that all companies comply with data protection laws and responsibly handle the data of natural persons. 

Thus, responsible entities must prove that they comply with the legal requirements (so-called accountability). Companies and public authorities must know their rights and obligations and organize their operations in such a way that they meet the requirements. If they fail, this is known as organizational culpability, for which they may be liable and subject to expensive sanctions.

The company’s obligations include developing a data protection concept, properly instructing suitable employees, and carrying out internal controls for data protection. Here data protection officers come in: As internal contacts, they are entrusted with monitoring compliance with the GDPR and helping the responsible bodies minimize liability risk.

In addition to the data protection officer as an internal monitoring body, there are external monitoring bodies that directly or indirectly monitor government bodies:

• The competent supervisory authority: As a public body or supervisory authority, it monitors companies’ compliance with data protection laws.
• Affected persons or associations: By exercising their rights (e.g., initiating legal action in the event of violations), affected persons can exert influence and control over data privacy in companies. Sometimes, they assign their rights to specialized associations or act with the press to exert influence. As a result, affected persons often pose the most significant risk to companies because there is the threat of a sanction and the loss of reputation.
• Works council: The works council is primarily concerned with the interests of employees and, to this end, also with compliance with data protection laws designed to protect employees.

Central tasks of data protection officers

Data protection officers have two core areas: Advising and monitoring.

It follows that they first provide advice on the implementation of the GDPR and then review and monitor the implementation and effectiveness of data protection.

Consulting

Internal and external data protection officers advise the responsible bodies and support them in implementing data protection regulations within the company. To this end, they can propose strategies and organizational measures. They also support the management of their company in solving specific problems:

• Informing those responsible and employees regarding data protection obligations.
• Advising data subjects on issues relating to the processing of data and the rights to which they are entitled
• Advising on the implementation of data protection impact assessments

Data protection officers are contact persons inside and outside the company: they advise employers, employees involved, and, if applicable, the works council, their customers, suppliers, and contractual partners.

In an advisory capacity, data privacy officers assist the works council. In this case, it is not uncommon to hold mediation talks between the employer and the works council, so that not only expertise but also tact and negotiation skills are required. In most cases, data privacy officers have to act as neutral mediators.

They also work closely with the supervisory authority. Here, data protection officers form an interface between the company and the authority and work closely with both sides to implement data protection requirements. If the supervisory authority has data protection-related questions for the company, it usually contacts the data protection officer directly as an expert.

Data protection officers inform the persons responsible and the employees involved in the processing operations about their obligations under data protection law. In addition, data protection officers advise the responsible parties on the provisions of data protection law and how these can be integrated into the operational process. To this end, they can propose concrete strategies and organizational measures.

Drawing up concepts and guidelines

As experts in data protection regulations, data protection officers assist in creating legal documents in this area. These include policies, agreements, Internet usage, or guidelines on how to deal with data subject inquiries.

For example, data protection breaches usually must be reported within 72h. This very short deadline assumes that adequate processes are in place to enable any employee to identify a data protection breach and take the following steps. The one-month deadline for processing data subject inquiries also requires an established structure and organization.

To this end, data protection officers must support their employers in developing and establishing such processes and guidelines.

Data privacy officers are also responsible for advising on preparing data privacy statements and data privacy documentation. Data protection documentation, in particular, is essential to fulfilling the company’s duty of accountability.

Further education and training of employees

One of the tasks of data protection officers is to check whether the employees in the responsible offices have received further training. Contrary to frequent expectations, employee training is generally the employer’s responsibility. However, data protection officers are responsible for monitoring it and checking it for compliance. They are therefore an integral part of data protection training courses for employees to ensure that they all are familiar with the requirements of data protection and implement them in their daily work.

Providing training by data privacy officers not only ensures the necessary legal certainty concerning the content. They also have a psychological effect: employees get to know the data privacy officer as an expert in their field and get in touch with them personally. This lowers the inhibition threshold to ask them questions and approach them with problems in their everyday work.

The data privacy officers also provide regular information about innovations and potential for improvement, for example, in a newsletter or circular note.

Data privacy impact assessment

For certain categories of data, companies and authorities must carry out a data protection impact assessment. This involves the data protection officer clarifying the necessity or processing-related questions about the procedure. In some cases, this is also necessary after prior consultation with the supervisory authority, which data protection officers undertake.

Monitoring

Data protection officers monitor compliance with data protection guidelines as the interface between the company and the supervisory authority. They monitor:

• Compliance with data protection obligations when processing personal data following the GDPR. Non-compliance with the GDPR represents an economic risk for companies due to the many supervisory authorities. Therefore, it is even more important for them to use tools in risk management, such as the Priverion data protection platform, which helps to implement and monitor data protection policies.
• Verification of compliance with the developed policies, for example, responsibilities or pieces of training
• Assigning responsibilities to other employees
• The sensitization of employees
• Cooperation with the public authority
• If the employer carries out checks, for example, on employee compliance, data protection officers must also be involved.

Processing records

Data controllers are required to create a record of processing activities; This is particularly easy and efficient with the Priverion data protection platform. Data protection officers provide advice and check the record for completeness and consistency.

Powers of data protection officers

It is important that data privacy officers serve the company’s or authority’s self-monitoring function, i.e., they also draw attention to grievances and misconduct. This can be unpleasant for the management of the company or authority.

To ensure adequate control, however, data protection officers are always free from instructions in the performance of their duties, i.e., the persons in charge have no influence on their actions and grant them freedom in their decisions and activities.

For data protection officers to properly perform their duties, they rely on the support of their employer. The GDPR requires responsible entities to provide the necessary resources to enable data protection officers to do their job. 

In particular, the following powers are to be granted by the responsible parties:

• The collection of information used to identify processing activities in the company.
• To review and analyze the processing of data for the lawfulness
• To act in an advisory and informative capacity vis-à-vis the data controller.

At the same time, it also clarifies who is responsible in the event of a deficiency:

• Monitoring compliance with data protection law provisions does not result in the data protection officer bearing responsibility in the event of a breach.
• It is not the data protection officer but the responsible body that must take appropriate measures to comply with the legal requirements and provide evidence. The data protection officer will only act in an advisory capacity.
• Compliance with data protection law, in particular the GDPR, is always the responsibility of the controller, not the data protection officer.

At the same time, data protection officers must consistently perform the above tasks in their employer’s interests. The central mission is, therefore, to work in a risk-oriented manner. 

That means they should not only keep an eye on the risk associated with the processing operations on the side of the affected person but must also include the risk to the company in the event of a legal violation. 

In practice, this means taking a selective and pragmatic approach to fulfilling one’s duties, constantly assessing the most significant risks to data subjects and controllers, and prioritizing one’s activities accordingly.

In contrast, data protection officers must not neglect any tasks or measures simply because they pose a comparatively low risk. For data protection officers, this can result in a complex balancing of the tasks they have to perform, which requires a certain amount of tact.

Are you a data protection officer or considering becoming one?

As an in-house or external data protection officer, you have many tasks to organize daily. Your guiding principle is always to comply with all data protection regulations.

You are the person with the best knowledge of data protection in your company or authority, and you provide advice and support to employees, superiors, and external parties. As a result, the job is anything but boring and requires professionalism and sensitivity in dealing with your fellow employees.

Balancing compliance with data protection regulations and prioritizing the employer’s interests can be challenging. You need always weigh the risks to your employer and the data subject. The fields with the highest risks must be prioritized accordingly without forgetting the less risky areas in the stressful daily routine.

Reading tip: In this article, we take a closer look at the individual monitoring tools of the data protection officer.