The Data Protection Officer must gather the right knowledge to perform his or her tasks
By now, companies are familiar with the General Data Protection Regulation (GDPR). After all, it came into force in August 2020, two years ago, and since last year administrative sanctions can and must be applied. However, the law is not entirely clear on some aspects, one of which is the Data Protection Officer, or DPO.
Hiring a DPO is mandatory for all companies that handle personal data, whether it belongs to employees, customers, or business partners. The exception is only for micro and small enterprises – we have already discussed this topic here. The main function of this professional is to ensure that personal data is processed in compliance with local law. Other duties include:
I – to accept complaints and communications from the titleholders, provide clarifications, and adopt measures;
II – to receive communications from the national authority and adopt measures;
III – to orient the entity’s employees and contractors regarding the practices to be adopted for protecting personal data; and
IV – to execute the other attributions determined by the controller or established in complementary norms.
However, the GDPR does not determine specific training for this professional. To this end, the Normative Instruction SGD/ME 117 was published by the Ministry of Economy, which provides for the appointment of the Data Protection Officer in the scope of bodies and entities of the public administration.
According to the regulation, the DPO “must have multidisciplinary knowledge essential to the fulfillment of his/her tasks, preferably on the topics of privacy and protection of personal data, legal analysis, risk management, data governance and access to information in the public sector. In addition, “they must not be located in the Information Technology units or be the responsible manager of information systems of the body or entity”.
Therefore, although no specific training is required, the Data Protection Officer must gather the right knowledge to perform his or her tasks. In practical terms, this professional must know the law in depth, checking that data processing activities comply with current legislation. Likewise, he or she must understand the processes and avoid incidents that lead to the unauthorized disclosure of personal data.
In the end, the best professional will be the one who brings together knowledge of the legal area and of technology and information security. Because it is difficult to find a single professional who has all the necessary expertise, it is best to have a privacy team. To make sure you have the best possible support in data protection issues, Pryor Global offers DPO as a service, with experienced and specialized professionals working to keep your company in compliance with the law. Contact us to learn more about this service.