DPO & DPR: something old, something new and something blue…
February 23, 2021
With 2020 days counting down, we are surely approaching 30 months since GDPR implementation, which did not reveal all its mysteries yet. As a toddler of the same age, it is only understandable to others 50% of the time…
Indeed, there is a lot of confusion between the DPO and DPR roles.
MyData-TRUST received many questions during the last Webinar “What is the GDPR and How to operationalize It”. The aim of this article is to clarify the situation.
DPO & DPR
Among repeatedly explained, yet poorly understood obligations, the appointment of a Data Protection Officer (DPO) and a Data Protection Representative (DPR) regularly hit the top of our clients’ frequently asked questions. Indeed, appointment of either or both DPO and DPR is still not systematically complied with none of them being invented by GDPR.
The old, poorly implemented directive 95/46/EC, refers to the data protection official, a DPO ancestor and mandates data controller not established in the Union to name a representative. So, why with none of these notions coming out of the blue, DPO and DPR remain such a mystery?
Let’s try to dissipate at least some bits of the mist and hopefully dispel some misconceptions.
Though DPO and DPR may look somehow alike, these two notions present significant differences and are not to be confused.
Essentially, DPO is a facilitator paving the way towards GDPR implementation by its controllers/processors (from within and outside EEA) while keeping its independence and cooperating with data protection authorities.
While DPR, acts upon non-EEA controller’s/processor’s instructions and will be contacted by data protection authorities instead of or together with controllers/processors for the purposes of ensuring compliance with regulation.
MyData-TRUST made a full side-by-side comparison covering 24 elements which enable to properly differentiate both notions.
Your DPO at MyData-Trust is available to help you to identify from the list above what needs to be implemented and set the priorities. We can also act as your DPR (if not already the case) and respond to your needs depending on your situation and location.
If you have any questions regarding the scope, the Data Protection Representative, the Competent Supervisory Authority or about Data Transfers, please contact us. MyData-Trust team will put all their efforts to support and sustain your activities involving personal data.