What does a data protection officer (DPO) do and who will need one in 2024?

There is more and more talk of the great potential of data use and that both personal and non-personal data are underused in organisations. To fully benefit from collected data, it is necessary to understand the data that is being collected and also to apply high-quality data analytics.

However, legal compliance is often problematic when the dataset contains personalised data. In this case, a data protection officer is an essential supplement to raise awareness and plan wise choices for the organisation. 

It is essential to keep in mind that the task of a data protection officer is not just to prohibit. To understand their role as a whole, it must be understood that the expert will also help better understand what is allowed.

Tasks of the data protection officer (DPO)

  • Act as a contact person for people on all matters relating to the processing of their personal data and the exercise of their data protection rights;
  • inform and advise the management and staff of your organisation (including, where appropriate, its partners) on data protection;
  • monitor the implementation of data protection rules, ensure staff training and data protection audits;
  • advise on and monitor the functioning of the data protection impact assessment;
  • liaise with the Data Protection Inspectorate, acting as a contact person on behalf of the organisation.

Who is obliged to appoint a Data Protection Officer under the GDPR?

  • All public authorities and bodies and;
  • those businesses that process personal data on a regular and systematic basis and on a large scale as part of their principal activity (principal activity is the key activity without which the business cannot fulfil its day-to-day objectives).

The concept of large-scale is not precisely defined in the GDPR but should be based on the following metrics

  • Number of people involved in data processing;
  • the volume of personal data processed and/or the number of different data records;
  • the duration of the processing of personal data;
  • the geographical scope of the processing.

Companies that process special categories of personal data (e.g., health data, genetic and biometric data, racial or ethnic origin, a person’s sexual life and sexual orientation, etc.) must also appoint a data protection officer:

  • in the course of its principal activity, and
  • on a large scale.

Last year has also brought new fines in Europe for failures to appoint a data protection officer, which shows that this obligation is being actively monitored.

Hedman data protection experts can help you to decide whether your organisation specifically must appoint a data protection officer or, in the absence of such an obligation, whether it would be beneficial to do so due to the profile of your company and the area in which it operates.

Do I need a DPO?

Below we also provide a list of areas where, due to the nature of the activity and the potential high risk to individuals’ privacy, the appointment of a DPO is likely to be mandatory:

  • credit institutions, creditors, credit intermediaries, insurance companies, insurance intermediaries;
  • communications companies processing data of users of telephone or internet services;
  • hotels, shopping chains, and other businesses that collect customer data and have loyalty programmes;
  • recruitment and staffing companies, job portals;
  • news portals;
  • spas, where they process health data;
  • companies that send direct marketing to people based on a specific selection;
  • GP practices and hospitals;
  • companies that perform profiling activities, such as assessing a customer’s ability to pay or risk of health or traffic behaviour; companies that process people’s location data in smart apps;
  • companies that analyse their customers’ use of online pages and advertise on this basis, i.e., digital marketing;
  • customer data processors using smart devices;
  • all companies processing special categories of personal data.

It should also be borne in mind that if the company’s activities are not related to the provision of a service to individuals, but the users of the service have a large customer base and the service involves dealing with the data of that customer base, the company providing the service will still need to take into account the above criteria (e.g., data analytics, IT services, direct marketing, etc.).

If an organisation needs to appoint or voluntarily wishes to appoint a data protection officer to mitigate risks, but the workload is relatively small, outsourcing should be considered. 

A high-quality service will ensure the expert is highly experienced and likely exposed to different decision points. It is also not uncommon for an organisation, besides its in-house data protection officer, to seek additional support from an external service to deal with, for example, significant projects, developments, or incidents.

This is where the Hedman law firm’s data protection officer (DPO) service can help you.

Get the latest about Hedman law firm


Our memberships:
FinanceEstonia, Lexing®,
Estonian Service Industry Association,
Estonian Chamber of Commerce and Industry,
EstVCA, EstBan, FECC,
IBA & IBA European regional Forum