Data Protection Officer – Which Businesses Need One & What do they do?

Share on twitter
Share on linkedin
Share on facebook

We have previously looked at the sweeping changes to privacy laws coming into effect in the EU. These laws will have an impact on a number of Australian businesses. One of the first steps towards GDPR compliance is to identify whether your business is captured under Article 37 and requires the appointment of a Data Protection Officer (‘DPO‘).

Reading this article will give you the option of downloading our free report on DPO, written by Dr. Drew Donnelly, Compliance Quarter. Download our free report for further details on the DPO by following the instructions in the popup box.

Alternatively, you can complete our FREE GDPR Readiness Questionnaire so that we can help you assess where you stand with GDPR and the work required. Our initial assessment and response is free of charge.

data protection officer

Application to Australian Businesses

While the GDPR is a European regulation it applies to an Australian organisation that controls or processes data (and, indeed, any organisation in the world that controls or processes data), where one of three conditions set out in Article 3 are met:

  • it has a physical establishment in the EU;
  • it offers goods or services to people in the EU; or
  • it monitors the behaviour of people in the EU.

In appointing a DPO, the organisation (whether a controller or a processor), needs to consider hiring or contracting an individual capable of carrying out all the specified tasks. The DPO can be internal or external to the organisation.

Tasks of the Data Protection Officer (DPO)

Article 39(1) sets out the tasks that a DPO is required to perform including:

  • Informing and advising the organisation of compliance requirements under the GDPR
  • Monitoring compliance
  • Supporting Data Protection Impact Assessment (DPIA)
  • Acting as the contact point with the supervisory authority.

Unless it is obvious that your organisation does not require a DPO, WP29 recommends that you document the internal analysis carried out to determine whether or not a DPO is required to be appointed (Guidelines, 2). Note, even if you are not required to appoint a DPO, it may be a good idea to do so, but keep in mind that if you do so you the role and obligations of the DPO will apply as if the appointment had been mandatory (Guidelines, 2).

For the WP29 Guidance see

Unsure of your requirements under GDPR? Then talk to us for a GDPR review, we’ll set out your requirements, determine if a DPO is required, and offer our ongoing help to ensure you are ready and compliant.

More to explorer

notes on board

How to Manage Multiple Compliance Deadlines: A Case Study

Compliance managers in the energy sector are constantly juggling a large work load with competing deadlines. Managing time effectively is a core skill for compliance managers. In this article, we will present a hypothetical case study of a compliance manager in an energy retailer who has to juggle multiple compliance tasks and deadlines, and how they can use some strategies and tools to manage their workload and prioritise effectively. We will also share some insights and tips from Compliance Quarter,

laptop on table top

How to Avoid Compliance Risks by Effective Communication: A Case Study

Compliance managers in the energy sector face many challenges in ensuring that their businesses comply with the regulatory framework. One of the most common and frustrating situations is when their advice is ignored or overridden by senior management or other stakeholders, exposing the business to potential compliance risks and penalties. In this article, we will present a hypothetical case study of a compliance manager in an energy retailer who faced this scenario and how it affected the business outcomes. We

Contemporary design of multifamily living houses. Modern luxury apartments buildings.

Modernising Electricity Regulation: The AES Framework and Embedded Networks in Western Australia

Background The existing licensing framework overseeing the sale and supply of electricity in Western Australia (WA) has struggled to adapt to the rapid expansion of emerging and atypical electricity business models in recent years. To address this, in 2019, the then Minister for Energy commissioned Energy Policy WA to assess the regulatory framework in Western Australia. In 2020, Energy Policy WA initiated consultations on a proposed regulatory framework for various categories of ‘alternative electricity services’ called the Alternative Electricity Services

Leave a Reply

Your email address will not be published. Required fields are marked *