One of the regulatory requirements is the appointment of a person responsible for ensuring internal control over the processing of personal data. Such a person is called a Data Protection Officer – DPO. In this article, we will look at the Company’s responsibilities for appointing a DPO, the requirements for a DPO, its tasks and other issues related to internal control over the processing of personal data in the Company.
Responsibilities of companies in the field of appointing a responsible person
1. Appointment of those responsible for internal control over the processing of personal data: Companies that deal with the personal data of individuals are required to organize internal control over the processing of such data. To do this, the Company can choose one of the ways:
- Appoint a department responsible for internal control over the processing of personal data.
- Appoint a person responsible for internal control over the processing of personal data. When it is decided not to create a structural unit responsible for internal control over the processing of personal data, the functions of the DPO can be distributed as follows:
- Hire a DPO employee.
- Assign DPO functions to several employees in addition to their functions.
- Assign the DPO functions to one employee in addition to his work functions.
2. Definition of DPO job responsibilities and paperwork: Depending on whether an individual employee is hired or the duties of the DPO are assigned to a particular current employee or several employees, it is necessary to define or supplement job responsibilities. For an individual employee, they draw up a job description for a specialist in implementing internal control over the processing of personal data and acquaint him with the Instructions.
When hiring a DPO or distributing its functions among several employees, the relevant documents of the personnel department are drawn up.
We recommend that you consider in advance the candidacy of an employee who will replace the DPO during his absence. Such a specialist will need to be trained in DPO competencies.
3. DPO training: At least once every 5 years, companies that have appointed DPOs must organize training for these employees on personal data protection issues. You can send a DPO for training:
- Organizations that have an educational license can organize staff training. These are usually educational institutions.
- Organizations that do not have an educational license but conduct training courses, training, and lectures.
Instead of being sent to such organizations, a DPO can study at his Company. To do this, he studies the requirements for protecting personal data and passes a knowledge test on these issues. The knowledge test can take the form of an interview, testing, or other methods. The Company may invite specialists with the right to conduct training in personal data processing.
Training at the National Center for Personal Data Protection: In several organizations, DPoS are trained only at the National Center for Personal Data Protection. Such organizations include, in particular, banks and non-bank credit and financial organizations, insurance companies, telecommunication operators, real estate organizations, recruitment agencies, and companies that process the personal data of at least 10,000 individuals.
When the DPO’s responsibilities include ensuring information security and the Company owns some information systems, except for those used by companies-residents of the Hi-Tech Park in activities related to blockchain or created with the participation of residents of the Park, then it is necessary to train the DPO at the National Center for Personal Data Protection at least once every three years.
4. Company reporting on DPO: Every year until November 15, companies provide information to the National Center for Personal Data Protection:
- About the number of DPoS who need to be trained at the National Center.
- The number of persons responsible includes ensuring information security to improve their skills.
Also, in cases where the Company is registered in the Register of Personal Data Operators, information about the DPO must be entered in the Register: his last name, first name, patronymic, contact phone number, and e-mail address. We remind you that not all companies that process personal data need to register in the Registry. There are certain cases when a company must register in this Registry. In particular, when it processes biometric and genetic personal data, the personal data of more than 100,000 individuals.
What does a DPO do in a company
The functionality of the DPO is quite broad and includes in particular:
- The study of business processes related to personal data processing and identifying risks associated with these processes.
- The proposal of measures to minimize the risks associated with business processes for processing personal data.
- Development of company documents in the field of personal data, their updating and coordination.
- Participation in adopting measures for the technical and cryptographic protection of personal data.
- Control over personal data in labour relations, termination of their processing, deletion and blocking in the absence of grounds for further processing.
- Verify compliance with the requirements for processing personal data in the Company’s structural divisions.
- Investigation of violations by the Company’s employees of the requirements for processing personal data and suggestions on the perpetrators’ responsibility.
- Coordinate the Company’s local documents and agreements regarding compliance with their requirements for personal data protection.
- Familiarization of employees with the requirements for the processing of personal data.
- Organization of training for employees who directly process personal data, offering the optimal form of training.
- Interaction on issues related to the processing of personal data with the National Center for Personal Data Protection.
What to pay attention to when selecting a DPO candidate
Several circumstances are helpful when selecting a DPO candidate and determining its functionality. Here are some of them:
1. Avoid conflicts of interest: We recommend that you do not appoint a DPO to the person who directly processes personal data, as in this case, a conflict of interest arises: the DPO, as the person responsible for internal control over the processing of personal data, will have to control itself. A conflict of interest may result when the person who directly processes personal data and the DPO are employees of the same department of the Company.
2. Do not consider a freelancer as a DPO: The circumstances are different. However, as a rule, a full-time employee is more responsible to the Company than a specialist engaged under a civil contract. In addition, internal control over the processing of personal data often requires immersion in business processes and access to information that constitutes a company’s trade secret. According to the state body that controls personal data protection, the DPO must be a full-time employee.
3. Take into account the qualification characteristics of the position: The qualification characteristic of the specialist position responsible for internal control over the processing of personal data includes an education requirement: the DPO must have a higher education, regardless of work experience. In the future, work experience as a DPO is essential for upgrading the category of such a specialist: at least 2 years for the second qualification category and three years in the second category for the first assignment.
4. Separate functions: We recommend assigning different employees the functions of technical and cryptographic information protection and internal control over the processing of personal data. Technical education is required for high-quality technical and cryptographic information protection, but it is not required to perform other DPO functions; for example, a lawyer can perform them.
How does the DPO control the processing of personal data
An employee who performs the functions of a DPO will not just come to the employee who processes personal data with an offer to control their processing. Internal control over the processing of personal data is a business process that needs to be analyzed, structured and formalized with a local document.
The National Center for Personal Data Protection proposes to draw up a local document: the procedure for internal control over the processing of personal data. This document is developed based on other internal company documents on the processing of personal data, in particular, Policies.
Forms of internal control over the processing of personal data
Internal control over the processing of personal data can take the form of monitoring the Company’s structural divisions and unscheduled inspections.
Monitoring is carried out every six months according to a monitoring plan prepared in advance for a year.
The DPO conducts unscheduled inspections on behalf of the Company head. For such a check, the DPO defines:
- Which department of the Company or which employee’s work he will check.
- Which business process or information system will be checked.
- The verification period.
- An unscheduled inspection must occur within three working days of receiving the head’s order.
How we can be helpful in the selection and registration of relationships with DPO
Our lawyers and information security specialists are experienced specialists in internal control over processing personal data and protecting information about personal data.
We can:
- Advise you on selecting an appropriate form of internal control over the processing of personal data.
- Select a DPO candidate, develop and issue personnel documents for employment, and distribute DPO functions among the Company’s employees.
- Develop documents on internal control over the processing of personal data.
- Conduct internal training on personal data processing and information protection in your Company.
- Represent your interests in government agencies.
Contact us
If you have any questions or disputes regarding the DPO’s purpose and functions, we will be happy to help! Our long-term experience in corporate law and taxation will help you resolve any disputes in this area.
- +37529366-44-77 (WhatsApp, Viber, Telegram);
- info@ambylegal.by.