The data protection officer role is a new feature for many organizations now subject to the EU General Data Protection Regulation, which specifies the criteria for designating a DPO, describes the position, and enumerates its responsibilities. Critically, for many companies, designating a DPO is not optional. In any case, the Article 29 Working Party’s guidance makes it clear that, once chosen, both mandatorily and voluntarily designated DPOs have the same responsibilities. The Working Party (now the European Data Protection Board) further suggests that it may be in the interest of companies not legally required to designate a DPO to do so anyway, whether “internal” or “external.” Either is expressly allowed by the GDPR. Internal DPOs are employees of the organizations they advise; external DPOs are retained via service contract and may be self-employed or employees of another company (e.g., a law firm).
First and foremost, data protection officers — whether inside or outside of the organization — counsel about legal and regulatory compliance and are therefore on the front lines of enterprise risk. Infringement of the GDPR and national data protection regimes can carry significant financial penalties. Everyone knows the 4 percent of global turnover or 20 million euros figures.
Could DPOs conceivably be exposed to staggering personal liability for data protection violations by their employers or clients? What are the risks of liability for both internal and external DPOs and what options might be available to them to mitigate or insure against that risk?
Clique aqui e leia a matéria completa.