Among the professions that have appeared in the new millennium and become interesting employment opportunities for young technology enthusiasts, there is undoubtedly that of the Data Protection Officer . With our article today we will try to shed some light on a figure that is often still little known, explaining who the Data Protection Officer is, what his duties are and how to become an expert .
Who is the Data Protection Officer
If we wanted to say in a few words who is the Data Protection Officer (DPO), we could say that it is a figure introduced by the new European regulation on the protection of personal data (the famous GDPR).
That of the Data Protection Officer is not a totally new figure, but it is the evolution of the privacy officer , a figure already provided for by the European Directive 95/46 which allowed States of the Union to carry out some simplifications or regulatory exemptions. Other ways of defining the Data Protection Officer (especially in the Anglo-Saxon world) are Chief Privacy Officer (CPO), Privacy Officer or Data Security Officer .
So, in essence, a definition of Data Protection Officer is that of an eminently legal profile that deals with protecting the fundamental right of the individual to protect your personal data in a company, an institution, a public administration or any other professional reality present on Italian soil and of any customers that this reality manages.
What the Data Protection Officer does
To know in detail what the Data Protection Officer must do , just go to consult the European Regulation on the protection of personal data which indicates the duties of a DPO:
- inform and provide advice to the Data Controller or to the Data Processor as well as to the employees who carry out the processing on the obligations deriving from the EU Privacy Regulation 2016/679 ( GDPR), as well as other Union or Member State provisions relating to data protection;
- monitor compliance with the EU Privacy Regulation 2016/679 (GDPR), other provisions of the Union or of the Member States relating to data protection as well as Data Controller or Data Processor regarding the protection of personal data, including the attribution of responsibilities, awareness-raising and training of the personnel participating in the processing and related control activities;
- to provide, if requested, an opinion on the data protection impact assessment and to monitor its performance pursuant to Article 35;
- cooperate with the supervisory authority;
- to act as a contact point for the supervisory authority for matters related to processing;
- in carrying out its activities, the Data Protection Officer duly considers the risks inherent in the processing of personal data, considering the nature, scope, context and the purposes of the same.
It is interesting to specify that the responsibilities of the Data Protection Officer are, however, limited: once, in fact, the DPO has supervised and validated how the organization collects and processes data and informed and advised owners, employees and managers, the decision on the countermeasures to be adopted and whether to report a violation is up to the Owner. Therefore, if the Data Controller receives a report of a possible violation, it is not up to the Data Protection Officer to decide what to do; your role is of advice and advice, not decision-making.
How to become a Data Protection Officer
If you are interested in the work of Data Protection Officer, here are some indications on how to become a Data Protection Officer and where to start to orient your curriculum in this direction.
Let’s see what the requirements are to become a Data Protection Officer talking about professional qualities, management skills and soft skills:
- specialist knowledge of the law and practice on data protection;
- have a full and deep understanding of the entity for which it performs its role and its processing activities;
- be easily accessible;
- being able to work under pressure and with deadlines often very tight;
- have specialist knowledge of personal data protection;
- have a good understanding of IT (Information Technology) business terminology and data management subject.
From this list we deduce that the Data Protection Officer is a figure straddling the law and the world of Information Technology, but there is no training course, degree program or diploma that issues an official title which certifies the official DPO skills, as clarified by the Privacy Guarantor.
What counts is legal and IT knowledge, an in-depth study of Italian and foreign data protection regulations, the operating practices of the Guarantors, business processes: to collect this knowledge, a qualification can certainly help study in the legal or technical field, together with work experience in the privacy sector and ad hoc training courses or masters, but none of this is binding for the purposes of a recruitment as a Data Protection Officer.
Data Protection Officer in the Public Administration, in companies and when it is mandatory
Let’s now see the Data Protection Officer in the Public Administration, in companies and when (and if) it is mandatory to appoint him .
First of all we specify that the role of Data Protection Officer can be entrusted to one of the company’s employees , but it can also be outsourced to consultant (freelancer or company) through a specific contract, in which case he must also be appointed as Data Processor. It can also be a natural person or an organization and can be nominated for a group of companies in order to reduce costs.
Having said this, let’s say that the appointment of a Data Protection Officer is mandatory in 3 cases:
- for administrations and public bodies : the Italian Data Protection Authority believes that all the bodies that fall within the scope of application of Articles 18-22 of the previous Privacy Code (administrative bodies, national, regional and local non-propfit public bodies, local authorities, universities, Chambers of Commerce, public health agencies, independent supervisory authorities) must appoint a Data Protection Officer;
- if the main activity carried out by the Data Controller or the Data Processor consists of processing of data which by their nature, object or purpose, require regular and systematic monitoring of the interested parties : a hospital, for example, has as its main activity the health of patients, but since to ensure this it must necessarily process their personal data, then a hospital is obliged to appoint a Data Protection Officer;
- if the main activity of the Data Controller consists in the large-scale processing of sensitive data , relating to health, sexual life, genetic, judicial and biometric: a chain of swimming pools, for example, since it could also manage health data of its members, it may need a Data Protection Officer.
As can be seen from this case study, it is very rare for a small company to need a Data Protection Officer, but size is not among the criteria that must be considered when deciding the appointment of a Data Protection Officer: with the new IT tools and related databases, in fact, even the smallest and most unsuspected business realities could need a Data Protection Officer.