The State Data Protection Inspectorate (SDPI) has published its inspection and monitoring plan for 2023. The main areas of focus for the SDPI this year are the transparent processing of personal data, privacy policy publication, mobile applications, video surveillance, as well as the appointment and activities of Data Protection Officers.
As in 2022, the role of the Data Protection Officer (DPO) continues to be a major focus. It should be remembered that the DPO is a mandatory position for the public sector and some private sector organisations under the General Data Protection Regulation (GDPR).
The DPO functions must be carried out by a qualified professional with sufficient experience and who is continuously maintaining and improving his/her qualifications. If the DPO functions are performed by a person who holds other positions in an organisation, it must be ensured that conflicts of interest are managed and the independence of the person is maintained.
The SDPI looks at how the organisation ensures that the person selected is qualified during inspection of the appointment of a DPO in an organisation, i.e., what facts support the experience, knowledge, skills of the professional and how the organisation ascertains this. Person’s ongoing training and education is of the same importance as well.
SDPI inspects the functions and role of the DPO in the organisation, the DPO’s involvement in the decision-making process, accountability, introductory and ongoing training. The DPO’s role in keeping records of data processing activities, GDPR audits and data protection impact assessments, is also evaluated by the SDPI. Furthermore, the inspection includes an assessment of whether the DPO is kept informed of all processes in the organisation and can provide his/her opinion in a timely manner as to the extent to which certain decisions or tasks are in line with the GDPR and the organisation’s personal data protection policy.
In order to perform these functions, it is very important for the DPO to continuously improve his/her qualification, to deepen his/her knowledge of the GDPR and to be aware of the latest practices both in Lithuania and in other European Union countries.
Prepared by Brigida Bacienė, ECOVIS ProventusLaw Associate Partner and Data Protection Expert