What is A Data Protection Authority (DPA)

October 24, 2024
What is A Data Protection Authority (DPA)

Our mission is to make data protection easy for people: easy to understand and easy to read about. We do that through our blog posts, making it easy for the end-user to understand personal data protection.

To ensure no individual’s personal data is misused, breached, or theft while also ensuring responsible data handling, almost all countries worldwide have enforced data protection acts on companies. Data Protection Authorities (DPAs) play a critical role in overseeing data protection and privacy laws within their jurisdictions. 

In this article, we will dive deeper into what is DPA and their role in ensuring businesses strictly comply with the regulations in data protection laws.

What is a DPA

A DPA is an independent public supervisory authority responsible for overseeing and managing the enforcement of data privacy regulation within a specific jurisdiction. They are vested with corrective and investigative power to ensure businesses comply with data privacy regulations.

For example, in the EU, DPAs, by exerting their regulatory power, can fine a company for any non-compliance to General Data Protection Regulation (GDPR). Non-compliance fine with GDPR is substantially high – Up to €10 million, or 2% annual global turnover – whichever is higher. Based on the level of non-compliance, the fines can be as high as 4% of annual global turnover.

In today’s increasingly complex and evolving digital landscape, DPAs play a critical role in upholding data privacy and security standards.

The Role and Responsibilities of Data Protection Authorities

DPAs accomplish a range of purposes for individuals, businesses and the general public, such as:

Monitoring and Enforcing Data Protection Regulations

DPAs are responsible for the effective enforcement of data privacy regulation within their jurisdictions and keep it under regular surveillance so that no violation of regulations can take place. This responsibility includes governing the processes related to data collection, storage, retention, processing and transfer by companies holding the personal data of individuals.

Providing Guidance and Advice

DPAs play a key role in providing both public and private entities with expert guidance and advice on data protection best practices. They help organisations better understand their legal obligations to data privacy protocols. By breaking down regulatory frameworks such as GDPR, and guiding organisations through privacy policy design principles, secure data transfer protocols, and data mapping exercises, DPAs help organisations mitigate data privacy risks while also facilitating regulatory compliance in today’s complex data-driven business landscape.

Authorisation and Advisory Powers

The European Data Protection Board (EDPB) has empowered DPAs to authorise data processing activities otherwise constrained by the national law in the EU and EEA. In addition, data controllers, with the help of DPAs, can efficiently conduct Data Protection Impact Assessments (DPIAs) – a process designed to negate risk and facilitate compliance with GDPR.

Promoting Public Awareness

Besides monitoring data processing activities conducted by companies holding user personal data, DPAs are also responsible to keep data subjects well aware of their rights. For that, they can roll out educational campaigns, publish advertisements and other materials about their rights and obligations when it comes to personal data protection and regulatory compliance.

Handling Complaints and Conducting Investigations

DPAs are responsible for filing and investigating complaints of individuals on any breach of their data privacy. They also conduct independent and unbiased investigation into an issue, and take appropriate legal actions if any party is found guilty of violating regulatory standards while handling personal data. In addition, they also hold the authority to impose fines, penalties or sanctions on companies for violating compliance standards.

Any individual can seek help from DPA if they:

  • face any issue or complexity while exercising their data privacy rights detailed in their designated data privacy acts.
  • suspect their personal data has been collected, processed and retained by a company or website without their consent
  • are unwilling to receive any marketing interactions from a specific company

A company can contact a DPA when they:

  • Need to report a data breach. Stringent data privacy regulations such as GDPR mandates organisations to report a data breach within 72 hours of detecting it. Failure to do so is considered a violation of the rule, subjecting the organisation to penalties.
  • need legal guidance on ensuring lawful, transparent and fair processing of personal data

A DPA is also responsible for

  • Documenting data processing activities that are prohibited or need pre-approval from the authority
  • Making individuals aware of their rights while also encouraging them to exercise these rights
  • Keeping the data processing activities of organisations under continuous surveillance

DPA Powers

Almost all data protection regulations empower DPA with some distinctive powers. For example, GDPR allows DPAs to exert three types of power, detailed in Article 58, GDPR:

  • Investigatory powers
  • Corrective powers
  • Authorisation and advisory powers

Investigatory Powers

Each DPA holds the power to:

  1. Ask data controllers, processors, or sub-processors for any information it needs.
  2. Conduct data protection audits as part of investigation
  3. Conduct a review on certifications issued as per Article 42(7)
  4. to Inform data controllers or data processors (if applicable) of any alleged infringement of this Regulation;
  5. ask for access to all personal data and required information hold by data controllers and data processors (if applicable);
  6. ask for access to premises, including data processing tools, owned by data controllers or processors; however, these powers are subject to Union or EU Member State procedural law.

The Corrective Powers

  1. To warn data controllers or processors of any imminent infringement of GDPR regulations for any of their processing activities;
  2. To warn organisations for violating any of the provisions detailed in GDPR;
  3. to order data controllers or data processors to address data subjects’ request to exercise their rights delineated in GDPR;
  4. to direct data controllers or processors to process data as per the provisions delineated in the GDPR; if applicable, in a specific way and within a set timeframe.
  5. to instruct data controllers to inform data subjects if their personal data is breached;
  6. to temporarily ban or restrict data processing
  7. to order an organisation to correct or erase personal data from their database, limit processing as delineated in Articles 16, 17 and 18; Organisations must notify individuals of this data disclosure pursuant to Article 17(2) and Article 19;
  8. To revoke a certification or order the certification body to revoke a certification issued according to Articles 42 and 43. Alternatively, order the certification body not to issue certification if the specific conditions are not met or are no longer valid.
  9. to impose fines and penalties pursuant to Article 83;
  10. to stop data transfer to a recipient in a third country or an international company.

Authorisation and Advisory Powers

  1. To guide the data controller as per the consultation approach drafted in Article 36;
  2. To issue opinions to any of the Member States, the national parliament, the government of a Member State, or other relevant institutions, upon request or on its own regarding personal data protection.
  3. if required by Member States, to authorise data processing activiites following Article 36(5);
  4. To advise on, assent, and outline codes of conduct for data protection pursuant to Article 40(5);
  5. to authorise certification bodies per Article 43
  6. to certify and assent certification benchmarks per Article 42(5);
  7. to set standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2);
  8. to authorise contractual clauses as per Article 46(3)(a);
  9. to approve administrative contracts as per (b) Article 46(3)(b);
  10. To assent to binding corporate rules according to Article 47.

How to become DPA-compliant

Complying with DPA is a systematic approach that requires businesses to follow a slew of steps: Understand applicable data protection laws

Any business that deals with user personal data must be well aware of the data protection laws enforced within their jurisdiction, such as GDPR, CCPA, etc. For example, organisations handling personal data of citizens or EU and EEA must have a thorough understanding of GDPR regulations.

  • Establish an accountability and governance framework: Data protection laws such as GDPR mandates organisations to hire a dedicated data protection officer (DPO). An officer for personal data protection ensures the processing activities executed by an organisation don’t violate GDPR provisions. Organisations should also set their own policies and rules regarding data collection, processing, storage and sharing for all staff and stakeholders to abide by.
  • Map data flows: Data mapping is a key prerequisite of GDPR compliance. It enables organisations to better understand how they collect, store, process and share data, thus, helping reduce risks with non-compliance. Conducting data inventory and data flow audit also helps you abide by the principles of data protections laws like GDPR. For example, with data mapping, you can ensure you only collect data essential to meet your purpose of data processing – a key principle of GDPR.  One critical part of this step is DPIA – it helps pinpoint and address security risks associated with data processing activities.
  • Implement data security measures: All data privacy protection regulations mandates companies to implement stringent technical and organisational security measures to lock out scammers from breaching confidential personal data. With security measures, regulations indicate data encryption, audit trail, access control, etc.
  • Consent Management: Make sure you have a proper process in place to take consent from individuals before you collect and process their personal data. This is because almost all established data protection laws worldwide require businesses to have consent voluntarily given by individuals is a prerequisite of regulatory compliance.
  • Document compliance efforts: Documenting your data processing journey and activities is critical to complying with DPA. That said, to ensure ongoing DPA compliance, keep monitoring and reviewing your data processing activities through conducting audits. Thus, you can be rest assured that you can meet all regulatory requirements and none of your processing activities violate the provisions.

Examples of Data Protection Authorities Around the World

Almost all countries have dedicated DPAs within their jurisdiction. For example, the EU has a central as well as dedicated DPAs for each member state within their jurisdiction.

European Data Protection Board (EDPB) is the central and independent governing body responsible for overseeing GDPR compliance across the EU. For the UK, the Information Commissioner’s Office (ICO) plays the key role of monitoring data processing activities of organisations.

For France, its Commission nationale de l’informatique et des libertés, Germany’s is Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).

Surprisingly, the USA is one of the few countries with no central DPA. Instead, each state in the country has their own data protection regulation, meaning that businesses there are mandated to meet the conditions of different critical departments across the country. 

Thomas Lambert
Latest posts by Thomas Lambert (see all)