Fonte: ICO. UK
At a glance
- The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities.
- DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
- The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
- A DPO can be an existing employee or externally appointed.
In some cases several organisations can appoint a single DPO between them. - DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.
Checklists
Appointing a DPO
☐ We are a public authority or body and have appointed a DPO (except if we are a court acting in our judicial capacity).
☐ We are not a public authority or body, but we know whether the nature of our processing activities requires the appointment of a DPO.
☐ We have appointed a DPO based on their professional qualities and expert knowledge of data protection law and practices.
☐ We aren’t required to appoint a DPO under the GDPR but we have decided to do so voluntarily. We understand that the same duties and responsibilities apply had we been required to appoint a DPO. We support our DPO to the same standards.
Position of the DPO
☐ Our DPO reports directly to our highest level of management and is given the required independence to perform their tasks.
☐ We involve our DPO, in a timely manner, in all issues relating to the protection of personal data.
☐ Our DPO is sufficiently well resourced to be able to perform their tasks.
☐ We do not penalise the DPO for performing their duties.
☐ We ensure that any other tasks or duties we assign our DPO do not result in a conflict of interests with their role as a DPO.
Tasks of the DPO
☐ Our DPO is tasked with monitoring compliance with the GDPR and other data protection laws, our data protection policies, awareness-raising, training, and audits.
☐ We will take account of our DPO’s advice and the information they provide on our data protection obligations.
☐ When carrying out a DPIA, we seek the advice of our DPO who also monitors the process.
☐ Our DPO acts as a contact point for the ICO. They co-operate with the ICO, including during prior consultations under Article 36, and will consult on any other matter.
☐ When performing their tasks, our DPO has due regard to the risk associated with processing operations, and takes into account the nature, scope, context and purposes of processing.
Accessibility of the DPO
☐ Our DPO is easily accessible as a point of contact for our employees, individuals and the ICO.
☐ We have published the contact details of the DPO and communicated them to the ICO.
Clique aqui para ler a matéria completa.
