GDPR: Data Protection Officer

GDPR: Data Protection Officer

The General Data Protection Regulation (GDPR) is harmonizing data protection law across the European Union (EU). When it takes effect on May 25, 2018, EU citizens will gain more control, privacy, and security over their personal data. Since the GDPR was approved in April 2016, organizations have been working to meet many of the new compliance requirements the GDPR has introduced. One of these new components is a data protection officer (DPO), and this post will examine which organizations are required to have a DPO and what kind of role a DPO should have in an organization.

If you are more interested in a general overview of the GDPR, consider reading this introductory post instead. If you are unfamiliar with some of the GDPR terms, this page is a helpful resource. Now let’s a take a look at the GDPR requirements for a data protection officer.

What is a Data Protection Officer?

data protection

A data protection officer works with an organization to ensure data collection processes follow GDPR data protection law and practices.

When is a DPO Required?

A DPO is required only when an organization meets specific circumstances. These are as follows (GDPR Art. 37):

  • The organization is processing personal data on a large scale that reveals race or ethnic origin, political opinions, religious or philosophical beliefs, and genetic or biometric data (GDPR Art. 9).
  • The organization is processing personal data on a large scale related to criminal convictions and offenses (GDPR Art. 10).
  • The data processing is carried out by a public authority or body.

While some companies are required to have a DPO, any controller or processor is able to appoint one.

Who can be a DPO?

The GDPR specifies that the DPO needs to have expert knowledge on data protection law and practices; however the GDPR doesn’t provide any precise credentials the DPO needs to have. The DPO may be a staff member or someone from an external service provider (GDPR Art. 37).

How is an organization supposed to work with a DPO?


Controllers and processors need to keep (Read more...)

*** This is a Security Bloggers Network syndicated blog from JumpCloud authored by Natalie Bluhm. Read the original post at:

Natalie Bluhm

Natalie is a writer for JumpCloud, an Identity and Access Management solution designed for the cloud era. Natalie graduated with a degree in professional and technical writing, and she loves learning about cloud infrastructure, identity security, and IT protocols.

natalie-bluhm has 172 posts and counting.See all posts by natalie-bluhm