Whether you are a public or private organisation you need to consider whether you are required to appoint a Data Protection Officer (DPO) or whether compliance with the EU General Data Protection Regulation (“Regulation”) necessitates the appointment of a DPO.
Who needs a DPO?
The current view is that your organisation needs a DPO or access to the advices of a DPO unless you can show that it does not.
The Regulation provides that the following organisations shall appoint a DPO:-
- A public authority or body processing personal data, except for courts acting in their judicial capacity.
While no definition of public body is provided in the Regulation, we anticipate that there will be local legislation providing a definition and we expect a similar definition to that in the Freedom of Information legislation, which definition includes statutory bodies.
- Where an organisation’s core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
This category includes social media companies, loyalty brand companies, online retail companies, and search engines companies.
- Where an organisation’s core activities consist of processing on a large scale of special categories of data (sensitive personal data) and personal data relating to criminal convictions and offences.
This category includes healthcare providers, insurers, and government departments who handle such data.
Member States also have the right to impose the obligation for the appointment of a DPO on other categories of data controllers or processors not specified in the Regulation. We will be watching developments closely and will post updates to our website.
The tasks of a DPO
The DPO needs to eat, sleep and breathe data protection and to be continuously risk aware. The Regulation sets out the key tasks, which include-
- Informing and advising the organisation and the employees of their obligations.
- Monitoring compliance with the Regulations.
- Raising awareness among staff involved in processing operations.
- Training staff handling personal data.
- Providing advice regarding privacy impact assessments (PIAs) and monitoring performance and compliance.
- Engaging with the Office of the Data Protection Commissioner or relevant Supervisory Authority.
Who to appoint?
The perfect candidate must have the following:-
- Expertise in data protection law and practice, but no specific qualifications are set out in the Regulations.
- The ability to fulfil the tasks set out above.
- Independence to fulfil the role; that is, there must be no conflict of interest in fulfilling the DPO role.
- An ability to deal with both internal and external stakeholders. The DPO will be ‘public facing’ in that he/she will be the organisation’s contact person for the Office of the Data Protection Commissioner and data subjects.
In-house or external consultant?
Organisations can appoint an in-house DPO, on a full time, part time or dual role basis. This appointment is always on the condition that the DPO’s tasks and duties do not conflict with another role being filled by that person.
As with any recruitment, the downside to an in-house DPO, is that if the employee leaves, your organisation will have to rehire and/or possibly retrain another member of staff. The alternative is to engage a consultant on a needs basis. This is likely to be most suitable for small to medium sized businesses whose needs are best served by having access to an external consultant as required.
In considering what’s best for your organisation, the following should be considered:-
- Is a DPO appointment mandatory under the Regulation.
- If not, what role will the DPO fulfil in your organisation – do you consider it necessary to appoint a DPO to comply with the Regulation, excepting the mandatory appointment obligation.
- How will the Regulation change your current system for processing data.
- How will the Regulation change the time your organisation needs to devote to complying with the Regulation.
- Consider the size and structure of your organsiation.
- How much access do employees or senior management need to the DPO.
- If your organisation forms part of a group of undertakings, the group can consider appointing one DPO for the group, provide that the DPO is easily accessible from each establishment.
- A single DPO can be appointed by a group of public authorities or bodies taking into account their organisational structure and size.
As an organisation, you need to assess whether you need a DPO; is there a mandatory requirement, or is the appointment of a DPO the best way to assist your organisation in complying with the Regulations. Then consider what is best for your organisation, in house (full time, part time or dual role) or external consultation.
The key is to appoint the best fit for your organisation, in particularly taking into account the size and structure of your organisation.