Data Protection Officer – Which Businesses Need One & What do they do?

Share on twitter
Share on linkedin
Share on facebook

We have previously looked at the sweeping changes to privacy laws coming into effect in the EU. These laws will have an impact on a number of Australian businesses. One of the first steps towards GDPR compliance is to identify whether your business is captured under Article 37 and requires the appointment of a Data Protection Officer (‘DPO‘).

Reading this article will give you the option of downloading our free report on DPO, written by Dr. Drew Donnelly, Compliance Quarter. Download our free report for further details on the DPO by following the instructions in the popup box.

Alternatively, you can complete our FREE GDPR Readiness Questionnaire so that we can help you assess where you stand with GDPR and the work required. Our initial assessment and response is free of charge.

data protection officer

Application to Australian Businesses

While the GDPR is a European regulation it applies to an Australian organisation that controls or processes data (and, indeed, any organisation in the world that controls or processes data), where one of three conditions set out in Article 3 are met:

  • it has a physical establishment in the EU;
  • it offers goods or services to people in the EU; or
  • it monitors the behaviour of people in the EU.

In appointing a DPO, the organisation (whether a controller or a processor), needs to consider hiring or contracting an individual capable of carrying out all the specified tasks. The DPO can be internal or external to the organisation.

Tasks of the Data Protection Officer (DPO)

Article 39(1) sets out the tasks that a DPO is required to perform including:

  • Informing and advising the organisation of compliance requirements under the GDPR
  • Monitoring compliance
  • Supporting Data Protection Impact Assessment (DPIA)
  • Acting as the contact point with the supervisory authority.

Unless it is obvious that your organisation does not require a DPO, WP29 recommends that you document the internal analysis carried out to determine whether or not a DPO is required to be appointed (Guidelines, 2). Note, even if you are not required to appoint a DPO, it may be a good idea to do so, but keep in mind that if you do so you the role and obligations of the DPO will apply as if the appointment had been mandatory (Guidelines, 2).

For the WP29 Guidance see

Unsure of your requirements under GDPR? Then talk to us for a GDPR review, we’ll set out your requirements, determine if a DPO is required, and offer our ongoing help to ensure you are ready and compliant.

More to explorer

Autumn leaves falling with copy space on black background

Avoiding Compliance Atrophy: The Critical Role of Assurance Reviews for Growing Energy Retailers

As energy retailers expand their customer base and operations, ensuring ongoing compliance with regulatory obligations can become increasingly challenging. A key risk is “compliance atrophy” – where initially compliant documents, processes and systems slowly deteriorate and waste away over time if not regularly monitored and reviewed. What is compliance atrophy? Compliance atrophy is typically a result of documents, processes and systems being ‘updated’ or ‘reworded’ to reflect changes in focus for the business and input from other stakeholders including marketing

person holding debit card

AER payment difficulty framework review

The Australian Energy Regulator (AER) is conducting a review of the consumer protections available under the National Energy Customer Framework (NECF) for those experiencing payment difficulties. On 14 May 2024, the AER released an issues paper for consultation. The review is driven by the commitment in Action 8 of the ‘Towards Energy Equity’ strategy in which the AER committed to considering whether improvements could be made to the NECF to ensure that consumers experiencing payment difficulties are identified early, engaged

Technicians installing photovoltaic solar panels on roof of house.

Compliance Quarter’s Submission to the AER’s Review of the Compliance Procedures and Guidelines

On 11 April 2024, Compliance Quarter put forward its submission on proposed changes to the AER Compliance Procedures and Guidelines. The AER is reviewing its Compliance procedures and guidelines, which set out the manner and form in which energy businesses in jurisdictions that have adopted the National Energy Retail Law must submit compliance information and data to the AER. We argue that there should be consideration of measures to incentivise early reporting of potential breaches. These may, for example, take the

Leave a Reply

Your email address will not be published. Required fields are marked *