The General Data Protection Regulation (“GDPR”) will come into effect on 25 May 2018. It will introduce a number of significant changes for managing data. Central to the operation of the new regime will be the role of the Data Protection Officer (“DPO”). We look at the key considerations for employers who are required to recruit a DPO.
When does an organisation need to appoint a DPO?
An organisation will have to appoint a DPO where its core activities involve processing operations which:
- require regular and systematic monitoring of data subjects on a large scale; or
- require large scale monitoring of special categories of data or data connected to criminal convictions and offences. In addition, all public authorities and bodies must appoint a DPO.
The Article 29 Working Party, the collective group of data protection authorities in Europe, has adopted a guidance which will assist organisations in determining if they fall within these categories.
What are the functions of a DPO?
The functions of the DPO will include the following:
- involvement in all issues relating to the protection of personal data within the organisation;
- monitoring compliance with the GDPR;
- advising the employer on carrying out data protection impact assessments as required by the GDPR;
- informing and advising the organisation and its employees/personnel who carry out data processing of their obligations under the GDPR and any relevant national data protection provisions;
- co-operating with the relevant data protection authority, where necessary;
- acting as the contact point for the relevant data protection authority on issues relating to processing;
- acting as the contact point for data subjects of the employer in relation to all issues regarding the processing of their personal data and to the exercise of their rights under the GDPR; and
- assisting with or maintaining records of processing operations under its responsibility and/or categories of processing operations carried out by its employer.
Recruitment of a DPO
There is little guidance available in relation to the level of expertise or professional qualifications that a DPO is required to have. It is stated, however, that the candidate’s level of expertise should be proportionate and appropriate to the data processing operations being carried out by the employer and the level of sensitivity of the data being processed by it.
In addition, DPOs must have expertise in national and European data protection laws and a detailed understanding of the GDPR. They should have a degree of knowledge of the particular recruiting organisation, together with the ability to fulfil the functions of the role.
It is not always required to directly employ a DPO. The function of a DPO may also be fulfilled on the basis of a service contract with an individual or third party organisation. Additionally, for certain group companies, a single DPO may be recruited to act for the group if appropriate.
Seven practical considerations for employers
- The DPO will be immune from dismissal or penalisation for performing his/her functions and any disciplinary action in respect of a DPO, albeit unrelated to his/her functions, should be taken with caution as it may be construed to be penalisation.
- The employer shall ensure that the DPO does not receive instruction in the exercise of his/her function and the DPO shall directly report to “the highest management level” of the organisation.
- The DPO may fulfil other tasks and duties but the employer must ensure that any such tasks and duties do not result in a conflict of interest for the DPO.
- The DPO has an obligation of secrecy/confidentiality concerning the performance of his/her tasks.
- The DPO should routinely attend meetings of management to facilitate compliance with the GDPR.
- The DPO should be given the autonomy and independence to carry out his/her functions.
- The employer must ensure that the DPO is provided with sufficient management support and resources to perform his/her role.
Employers should carry out an analysis now as to whether they need to appoint a DPO. They must document this analysis to show that due consideration has been given to the requirement to appoint a DPO and the details of the decision that is ultimately arrived at.
Employers might also consider steps they might take to ensure that the DPO is in a position to perform his/her function effectively and in compliance with the GDPR. This objective might be partially met by adapting the DPO's contract of employment to incorporate some of the practical considerations outlined above.