A Data Protection Officer (DPO) is a person who is responsible for data protection within an organization. The DPO must be independent from the rest of the organization and report directly to the highest level within an organization.
The role of a DPO has been introduced as part of the General Data Protection Regulation (GDPR), which applies to all EU member states and to any non-EU companies that hold or process personal data about individuals in the EU. It also applies to non-EU companies that offer goods or services to people in the EU, even if they have no physical presence in the EU.
The GDPR says that organizations must appoint a DPO if their core activities involve processing operations that require regular and systematic monitoring of data subjects on a large scale; or large-scale processing of special categories of data (that is, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, etc.).
The Information Commissioner’s Office has published guidance on how organizations should comply with GDPR obligations regarding DPOs.