The General Data Protection Regulation (‘GDPR’), which will come into effect on the 25th of May 2018, recognizes the DPO as a key player in the new data governance system and lays down conditions for his or her appointment, position and tasks.
A useful help in correctly interpreting the rules provided by GDPR comes from the Guidelines on Data Protection Officers adopted on 13 December 2016 by the “Article 29 Data Protection Working Party” (composed of representatives of the national data protection authorities, the EDPS and the European Commission).
Let's see what are the indications provided by the Working Party on how to choose and manage the DPO.
► Level of expertise
Article 37(5) of the GDPR provides that the DPO ‘shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39’.
The required level of expertise is not strictly defined by the GDPR but the Guidelines point out that it must be commensurate with the sensitivity, complexity and amount of data processed.
According to the Working Party, another aspect to be taken into consideration is whether the organisation systematically transfers personal data outside the European Union or whether such transfers are occasional.
► Professional qualities and abilities
DPOs should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR.
Guidelines highlight that ‘it is also helpful if the supervisory authorities promote adequate and regular training for DPOs’.
The professional skills cannot be limited to mere knowledge of the law: the DPO should also have sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller.
► DPO on the basis of a service agreement
The function of the DPO can also be exercised on the basis of a service contract concluded with an individual or an organisation outside the controller’s/processor’s organisation.
Working Party recommends having a clear allocation of tasks within the DPO team and to assign a single individual as a lead contact and person ‘in charge’ for each client, specifying these points in the contract.
Article 38(2) of the GDPR requires the organisation to support its DPO by ‘providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and maintain his or her expert knowledge’.
Guidelines recommends that the following items, in particular, should be considered as resources to be provided to the DPOs:
- Active support of the DPO’s function by senior management;
- Sufficient time to fulfil their duties;
- Adequate support in terms of financial resources, infrastructure and staff where appropriate;
- Necessary access to other services, such as Human Resources, legal, IT, security, etc., so that DPOs can receive essential support, input and information from those other services;
- Continuous training.
Article 38(3) establishes some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy.
In particular, controllers/processors are required to ensure that the DPO ‘does not receive any instructions regarding the exercise of [his or her] tasks.’ Recital 97 adds that DPOs, ‘whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner’.
Guidelines explains that, in fulfilling their tasks, DPOs must not be instructed how to deal with a matter, for example, what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority.
The autonomy of DPOs does not, however, mean that they have decision-making powers extending beyond their tasks: the controller or processor remains responsible for compliance with data protection law and must be able to demonstrate compliance.
To strengthen the autonomy of DPOs, article 38(3) of the GDPR provides that DPOs should ‘not be dismissed or penalised by the controller or the processor for performing [their] tasks’.
► Conflict of interests
Article 38(6) requires that the organization ensures that any tasks and duties of the DPO “do not result in a conflict of interests’.
This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.
Guidelines point out that, as a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organizational structure if such positions or roles lead to the determination of purposes and means of processing.