From the date of adoption in 2016, the two years time frame given to companies to be ready with European Union’s (EU) General Data Protection Regulation (GDPR), concluded on May 25.

Among the numerous critical requirements, the need for appointing a Data Protection Officer (DPO) has been one of the key factors.

We look at a DPO as one of the key success factors for GDPR. It is ideal to position DPO within the core of GDPR’s readiness and operational framework. To effectively perform the duty of maintaining the privacy of an individual intact, large corporations, government bodies, organisations in the health and social care sectors, financial institutions, and most organisations based in the EU will have to appoint a Data Protection officer, who will be responsible for formulating data protection strategy and to make organisations compliant with GDPR requirements.

The criteria to consider while deciding on appointment of a DPO is summarised below:

DPO shall be appointed if any of the requirements are met by an organisation, a public entity in EU or involved in regular or systematic monitoring of data subjects, on a large scale or processing on a large scale of special categories of personal data or else in case its required by the EU Member State in its national law.

Personal data includes information on racial and ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning health.

Role of a DPO is multi-fold but revolves around the objective to ensure data subject’s privacy is maintained and their personal data is protected from misuse.

GDPR actively lays down the task of DPO which is to inform and advise the organizations of their obligations to the Regulation, to monitor compliance with the regulation, to provide advice where requested about data protection, cooperate with the supervisory authority. DPO also has to play passive role in data protection through, training staff and raising awareness on data protection.

DPO is uniquely characterised with its designation and independence.

Since DPO works for the data privacy of the organisation, he should be granted authority and complete autonomy in his field. He must be involved in all decisions of the organisation related to data protection, only accountable to the top management, work independently to prepare mechanisms for data protection, and should have direct access to the data processing activities.

DPO is supposed to act as intermediaries between relevant stakeholders including supervisory authorities, data subjects, and business units within an organisation.



DPO is not personally responsible in case of non-compliance with the GDPR

DPO must be given sufficient autonomy and resources to carry out their tasks effectively.

Independence from any conflict shall be maintained, i.e. DPO shouldn’t be in any operational role and should be into a supervisory role

DPO, with the help of a team if necessary, must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned.

The availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential to ensure that data subjects will be able to contact the DPO.



Other important pointers are:

According to a study from International Association of Privacy Professionals, 75000 DPOs will be needed globally to fulfill the requirement.

The increasing demand of DPOs is bound to create a new discipline, both academically and professionally; in India for both domestic and international markets.

The author is Partner, Deloitte India.