It has been three years since the European Union began applying a landmark legislation for data protection in the region — the General Data Protection Regulation (better known as GDPR). It is the most comprehensive data privacy and security law in the world and reaches far beyond Europe. In light of some of the major updates in the past year, we’re republishing the original series of articles from 2018 to take into account how GDPR has evolved. In this first piece, we look at one of the key aspects — the appointment of a Data Protection Officer (DPO).
What exactly is a DPO?
A simple enough question, but the answer requires some understanding of GDPR and EU data privacy rules.
For any EU citizen, the right to privacy and protection of personal data is secured in the charter of fundamental rights (Articles 7 and 8). Personal data needs to be protected and the processing of it must have a lawful purpose and be transparent. The main instrument for ensuring this prior to 2018 was a combination of EU directives and local law in the different member states. That all changed on the 25th of May, 2018 with GDPR being adopted in all EU and EEA member states.
A DPO (Data Protection Officer) works to protect the fundamental freedoms and rights of data subjects in relation to privacy and data protection.
With GDPR, the role of the DPO became written into the EU law. For some institutions, having a DPO will be mandatory, while others can choose to opt in. The following organizations are required by law to appoint a DPO:
- Public/government institutions
- Organizations processing certain types of sensitive data on a large scale
- Organizations processing personal data that involves large-scale monitoring or surveillance
Recognizing that many of our customers will need to fill this role, itslearning was among the first LMS providers to appoint a DPO. In addition to monitoring our own compliance and providing advice and training to our own staff, our DPO is available to our customers and their DPOs to discuss data privacy issues. I held that role until 2020 when itslearning was acquired by Sanoma Group. The role now sits with Riika Turunen in Sanoma. The details are available on our GDPR page.
The role of the DPO
So back to the original question, what is a DPO? A simple way of putting it is that DPOs work to protect the fundamental freedoms and rights of data subjects in relation to privacy and data protection. To ensure that the DPO puts the rights of the data subject first, not those of his or her employer, there are particular provisions in GDPR to ensure independence. A DPO cannot be instructed in or penalized for the work done as a champion of data protection. He or she can also not have another role that could conflict with personal data protection.
A common misunderstanding about the role is thinking that the DPO is responsible for compliance with GDPR. It is actually the opposite, a DPO cannot have a formal role where decisions are taken that could affect GDPR compliance. Think of it as the difference between an accountant and an auditor; the auditor can advise the accountant and recommend accounting technics, but must remain independent.
Similarly, the DPO must always be consulted in important matters relating to data protection within his organization. He or she could take responsibility for training the organization on their duties under European data protection regulations. The DPO should also be able to proactively assess and monitor compliance, and report back to the highest level of management of the organization. The DPO is also the contact point for supervising authorities in each country who are responsible for ensuring that personal data is processed fairly and lawfully.
The DPO is also responsible for dealing with direct requests from data subjects. However this is limited to requests in cases where the organization is responsible for the purpose of the processing (the controller). For itslearning, the majority of the data we process, is on behalf of our customers. If you are a student, teacher or parent using our customers services, you need to contact the institution you are enrolled in to exercise your rights. Our DPO will, however, do what she can to support your institution in protecting your rights.
People in Europe now enjoy the highest level of data privacy in the world, thank to GDPR. Since its introduction, more people have become aware that their data is valuable and risk to data breaches must be managed rigorously. At itslearning, we take data privacy very seriously with a strong commitment to GDPR and ISO 27001 standards.
For more information on GDPR and your rights as an itslearning user, please visit our webpage: itslearning is GDPR compliant.