What is a DPD?
Services
Data Protection Delegate
With the approval of the new data protection legislation, on the one hand the General Data Protection Regulation (RGPD) and on the other the Organic Law on Data Protection and Guarantee of Digital Rights, a series of requirements appear and obligations, including penalties, that affect a good number of corporations and businesses. One of the most prominent obligations is the incorporation of the figure of the Data Protection Delegate (DPD) or Data Protection Officer (DPO, for its acronym in English).
What is a DPD?
He is a new professional figure, specialist in data protection law, whose main task is to ensure that the regulations in this area are complied with.
What does your job consist of?
It must inform, supervise, divulge and coordinate the data protection policy in the company or administration in which it provides its services. In addition, it must ensure compliance with Spanish and European regulations on the processing of personal data and advise on the risks that a certain service offered by the company may entail, which is called a Data Protection Impact Assessment Personal (EIPD). It must also cooperate with the control authorities in the event that irregularities are detected in the processing of the data.
Its functions are:
Regulatory information and advisory function
It must inform and advise the person in charge or the person in charge of the data protection regulations that apply to them. And inform, train and advise employees who process personal data within the organizations responsible or in charge of the treatment, seeking the implementation of training and awareness programs for staff in the field of data protection.
Supervisory function of regulatory compliance
It must supervise the adequate compliance with the rules on data protection in the entity or organization, implementing policies and protocols in data protection.
Function of cooperation and liaison with the control authority
Must cooperate with the control authority, or corresponding data protection agency; act as the Agency's point of contact for issues related to the processing of personal data including prior consultation, and must resolve claims addressed to the Control Authority acting as a mediator.
Attention function for those interested
It must attend to interested parties who request it, establishing mechanisms for receiving and managing requests for the exercise of rights by interested parties and resolving claims directed by affected interested parties.
Which companies are required to have a DPD?
Its presence is mandatory in public administrations (except the courts of justice), and in any company and private entity whose main activity consists of the regular and systematic observation of interested parties (profiling, observing users...) in large volume, for long periods of time and in a very wide geographical area.
Those companies that handle large-scale personal data on particularly sensitive subjects (ideology, health, criminal matters, etc.) must also have a Data Protection Officer.
All those companies that are in one of the business sectors in the list contained in the LOPDGDD are also required (consult the attached list).
In any case, it is recommended that in certain cases, despite not being obliged, this figure is counted on to comply with the principle of proactive responsibility and to have this asset in order to create confidence in customers.
Should the DPD be part of the staff?
Not necessarily. He can be integrated into the workforce or be an outside professional who performs his duties through a service contract. The important thing is that he acts independently. If you are an internal employee of the organization you must take into account that:
The DPD will not receive instructions from those responsible or those in charge of the treatment regarding the exercise of its functions as DPD.
He may not be sanctioned or dismissed by the data controller for the performance of his duties.
There will be conflicts of interest with other possible functions and obligations:
- Senior management positions.
- Lower charges but which lead to the determination of the purposes and means of treatment.
- Who defends in court the person in charge or in charge in matters of data protection.
Whether it is external or internal, the organization must guarantee that:
The DPO is invited to regularly participate in meetings with senior and middle managers.
It is recommended that you be present when decisions with data protection implications are made. All relevant information must be transmitted to the DPD in due time so that he can provide appropriate advice.
The DPD's opinion is always duly taken into account. In case of disagreement, the Working Group recommends, as a good practice, documenting the reasons why the DPD's advice is not followed.
DPD is consulted promptly after a data security breach or other incident has occurred.
What are the advantages of appointing a DPD in my company?
- You will avoid penalties from the AEPD:
- The sanctions imposed by the new RGPD and the LOPDGDD are much more severe than those known so far. So avoiding the higher penalties is always a plus. In the event that you infringe any of the rules of this Regulation and Law, the DPD must be the one to intervene between your company and the AEPD in order to clarify what has happened. Without a doubt, in the event that you are sanctioned, this professional will be a great resource in your favor.
- Avoid information leaks:
- By having a DPD in your company, it will ensure that with a certain frequency analysis and evaluations of the treatments and the security measures applied are carried out, thereby avoiding possible leaks of information.
- You will have a recourse in your favor, if a data breach occurs:
- Another of the requirements imposed by the new regulations is that, in the event of a data breach, a report is drawn up detailing what happened. To then send this report to the AEPD. If you have a DPD in your organization, should this happen, you will be able to act much more quickly when it comes to mitigating the effects of the leak or security breach. As well as when informing the competent authorities.
- You will have a link with the AEPD and with the interested parties
- The DPD will be in charge of resolving claims that an interested party may make, which would otherwise be resolved by the AEPD and thus avoid subsequent actions. Equally, the requests for rights of the interested parties will be reviewed by the DPD.
- Convey security and confidence to your customers
- The fact of having a DPD in your organization assures your customers an interest and a willingness to comply with data protection regulations and therefore security in the data that the customer deposits in your company.
What happens if my company does not yet have a DPD?
Is your business ready to comply with data protection regulations?
