A data protection officer (DPO) is an individual tasked with ensuring a company exhibits good data governance by maintaining compliance with GDPR and acting as a liaison between an organization and public authorities for all things GDPR. The DPO can be an employee within the company, or external to the company, but s/he must not be subject to conflict of interest claims because of his/her role within the company. In addition, the DPO should have access to senior management within the company and cannot be penalized for carrying out his/her responsibilities.

Below we’ve outlined a non exhaustive list of the DPO’s core responsibilities:

• Ensuring his/her organization is aware of, and trained on, all relevant GDPR obligations
• Training staff involved in data processing
• Conducting audits to ensure compliance and address potential issues proactively
• Acting as a liaison between his/her organization and public authorities
• Acting as a liaison between the organization and data subjects
• Monitoring performance and providing advice on the impact of data protection efforts
• Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities

While all of these responsibilities are designed around helping an organization be compliant with GDPR, the DPO does not need any formal training or expertise. Often times the DPO has a legal background, but there is no specific requirement for DPOs.