Featured in JEP’s Expert Panel – 1st March 2018
The Data Protection Officer (“DPO”) as outlined in the new GDPR law effectively states that its core purpose is to give independent advice, guidance, training and support to an organisation to achieve the desired goal of operating to best practice regarding the management and use of personal data and to operate within the GDPR law.
The new GDPR law makes significant changes in the relationship between the data subject and the data controller. The onus is now on the data controller to prove that they operate within the requirements of the GDPR law. One can also expect that data subjects will certainly begin to exercise their rights under the new law.
So how will organisations manage their rights regarding their business interests and those enhanced rights of the data subject under GDPR? Interesting challenge!
Key features of DPO role
The DPO is appointed by the Data Controller to deliver the services mentioned in first paragraph. Only certain types of organisation must have a DPO. This is a very unique role. A38 outlines their position and tasks such as working in a professional independent manner, free of any interference in the exercise of their duties, have access and report to the highest level of management when required, have the resources needed to deliver services, they are free from personal liability for non-compliance with GDPR (Data Controller is ultimately responsible) and they have protected employment status, in relation to their role as DPO.
How do they work?
In addition to the above, DPO is the main contact between your organisation and internally with your staff, management, board directors, externally with customers and the Supervisory Authority in relation to all things data protection. It is essential they have a key role in projects concerning business process design/changes, people training and computer system changes which impact on personal data in your organisation. This cannot be an after-thought as the data controller runs the real risk of, accidentally or otherwise, falling short in its compliance obligations. In reality, how can a data controller prove they are serious about instilling data protection standards into the DNA of their business if they only pay lip service to “privacy by design” and “privacy by default” principles required by A25 and A35 “data protection impact assessments”?
Independence –who should not be DPO
DPO cannot hold a position that leads them to “determine the purpose and the means of processing of personal data”. The A29 Working Party guidance states that the following people should not be the DPO; the CEO, COO, CFO, Chief Medical Officer, head of marketing, head of HR or head of IT. The data controller must take great care not to risk blurring (perceived or otherwise) the lines between those technology service providers that may provide outsourced DPO services and provide technology services to their organisations.
This is an area where organisations are increasingly struggling to understand in the absence of any formal qualification under the GDPR.
While A37(5) gives a brief indication of the “qualities”, A29 Working Party group guidance provides much more detail as to the desired qualifications and experience a DPO should have. The key skills noted are;
- expert knowledge of national and EU data protection laws and practices including in-depth knowledge of GDPR
- understanding processing operations carried out
- understanding information technologies and data security
- knowledge of your business sector and organisation
- ability to promote a data protection culture
Data Controllers will have to take time to consider exactly what skills set is required for a DPO for their organisation and consider factors such as the level of complexity or the amount of large scale processing or amount of sensitive data the organisation is responsible for processing
Who must appoint?
A37 of GDPR imposes the mandatory obligation of appointing a DPO where data processing is carried out;
- by a public authority or body
- by an organisation where core activities of the controller or processor require regular and systematic monitoring of data subjects on a large scale
- by an organisation where core activities of the controller or processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
One must note that “public body” could be interpreted as extending to those private companies providing services to the public on behalf of the public authority. Organisations not legally required to appoint a DPO may do so, but they will be bound by the full legal requirements of this role.
In-house or outsourced DPO?
A staff member can be appointed DPO, either exclusively for that role or they may also have other tasks and duties under A38. It is really important that they have the necessary time and resources to be able to perform effectively as DPO however. The data controller can also outsource the role of DPO to an independent person or company.
Penalties for not appointing DPO?
Data controllers need to be aware that failure to appoint a DPO as mandated by GDPR will expose you to the lower level administrative fine (in GDPR set at €10m or 2% of global revenues).
After taking all of these factors into account and making the right decisions for their organisation, Data Controllers can “be secure” in the knowledge that they can look forward and lead in this new data protection age.