The DPO, or Data Protection Officer, is the person responsible for ensuring compliance with the GDPR within an organization. Their main role is to inform and advise the data controller and employees, to monitor the compliance of personal-data processing, and to cooperate with the supervisory authority.
The GDPR (Articles 37 to 39) makes the appointment mandatory in three cases: for public authorities and bodies, when the core activity involves regular and systematic monitoring of individuals on a large scale, or large-scale processing of so-called sensitive data (health, opinions, biometric data…). Outside these situations, appointing a DPO remains strongly recommended and is a good governance practice.
The officer carries out their duties in full independence: they receive no instructions on how to perform them, report to the highest level of management and must not be in a conflict of interest. The role can be filled by an internal employee or an external provider. The DPO is the primary point of contact for the supervisory authority (the CNIL in France) as well as for data subjects who wish to exercise their rights (access, rectification, erasure, portability).
To fulfil this role, the DPO relies on compliance tools such as the records of processing activities, the tracking of rights requests and a traceable audit log. eyeot includes this kind of functionality, which eases the officer's day-to-day work and the demonstration of compliance in the event of an audit. The DPO, who is a person, should not be confused with the data processing agreement (DPA), which is a contract binding a data controller to its processor.