Since 25 May 2018, the General Data Protection Regulation (GDPR) has been in force in the Netherlands. This privacy act oversees the handling and processing of personal data. Within an organisation, the management is responsible for handling personal data and ensuring proper compliance with the GDPR. The management can be supported and advised by an employee with specific tasks. This officer is often called the privacy officer. In a number of cases, the organisation is required by law to appoint a data protection officer or data protection officer. The role of both privacy officer and data protection officer may be filled internally, but may also be outsourced externally.
The privacy officer not only supervises the handling of personal data, but also has an advisory role. They advise staff on privacy-related matters and provides training to increase internal knowledge on the subject. They also have a (supporting) role in carrying out a Data Protection Impact Assessment (DPIA) and in reporting data breaches. In addition, the privacy officer acts as a contact person for data subjects – individuals whose personal data are processed by the organisation – and the Personal Data Authority.
Confusion frequently arises about the difference between the privacy officer (PO) and the data protection officer (DPO). Like the privacy officer, the data protection officer’s role is to oversee compliance with privacy legislation and advise management in this regard. Unlike for the role of the PO, the role of DPO is defined by law. If an organisation is required under the GDPR to appoint a data protection officer, the position must be filled according to certain requirements. These requirements are designed to ensure the DPO’s independence:
We also recommend staying as close as possible to the legal duties and responsibilities when fulfilling the role of privacy officer.
The data protection officer reports directly to the organisation’s management. Although the DPO is responsible for monitoring privacy laws and regulations, management is responsible for compliance. So the DPO or PO provides advice, but is not personally liable for GDPR compliance.
Article 37 of the GDPR states that the appointment of a data protection officer is mandatory for:
Whether the latter criterion applies is sometimes difficult to determine. These include, for example, organisations that track individuals through their websites and build profiles based on interests and preferences. However, to qualify for the latter category, this must be the organisation’s core activity. Thus, if you only collect data on the use of your website, this does not mean that you are obliged to appoint a data protection officer.
Given the social importance of privacy protection and the risks for the company if personal data is insufficiently protected (reputational damage, fines), it is advisable to designate at least one employee as the point of contact for privacy and personal data. Even if your organisation does not fall into the above categories. In that case, appointing a privacy officer is a good choice. Large organisations may also choose to appoint both a data protection officer and a privacy officer for practical reasons. After all, this increases the number of employees dealing with privacy and GDPR compliance, while it is clear to customers and regulators who is the organisation’s first point of contact.
Would you like advice on fulfilling the role of DPO or PO? Our consultants will be happy to advise you on privacy-related issues. They can also fulfil the role of (external) privacy officer or data protection officer. Read more about our interpretation of the role of privacy officer here. Feel free to contact us.