DPO Job Description

The EU General Data Protection Regulation sets out a mandate for certain organizations to appoint a Data Protection Officer — the IAPP has estimated this will translate to 75,000 DPOs across the globe. Cobbling together information from the GDPR and Article 29 Working Party guidance, the IAPP has developed this sample DPO job description. Of course, the DPO is not a one-size-fits-all role, but the official guidance provides insight on some of the necessary components for your appointment. This description is intended to be a jumping off point for you to create one that fits the needs of your organization.

Responsibilities of DPO and organization

• The employer remains responsible for compliance with data protection law and must be able to demonstrate compliance.
• DPOs must not be instructed how to deal with a matter, what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority; they must not be instructed to take a certain view of an issue related to data protection law, for example, a particular interpretation of the law.
• DPOs should be free from conflicts of interest; they cannot hold a position within the organization that leads them to determine the purposes and the means of the processing of personal data or that otherwise creates a conflict.
• Controllers or processors should:
  • Identify positions which would be incompatible with the DPO function;
  • Draw up internal rules to avoid conflicts of interests;
  • Declare that the DPO has no conflict of interests with regard to function as a DPO, as a way of raising awareness of this requirement;
  • Include safeguards in the internal rules of the organization and to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests.