On November 17, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the interpretation and implementation of the GDPR’s provisions relating to the role of the Data Protection Officer (“DPO”).
The White Paper was developed in the context of CIPL’s ongoing GDPR Implementation Project, a multi-year initiative involving research, workshops, webinars and white papers, supported by over 70 private sector organizations, with active engagement and participation by many EU-based data protection and governmental authorities, academics and other stakeholders.
The purpose of the White Paper is twofold: (1) to serve as formal input to the Article 29 Working Party’s work on developing further guidance on the proper implementation of the DPO role under the GDPR, which is expected to be finalized by the end of December; and (2) to provide guidance for companies that must comply with the GDPR’s DPO provisions by May 25, 2018 (i.e., the date the GDPR becomes effective).
The White Paper encourages a flexible and pragmatic implementation of the GDPR’s DPO provisions to ensure that they work for organizations of all sizes and types, from large multinational organizations to SMEs, start-ups, NGOs and public authorities. It identifies challenges posed by specific DPO requirements and proposes sensible interpretations and “best practices” for (1) implementing them and (2) maximizing the potential of the DPO to drive the dual goals of compliance and accountability on the one hand, and the strategic and beneficial use of data on the other.
The specific issues addressed in the White Paper include:
- mandatory vs. non-mandatory DPOs;
- processor DPOs;
- EU-wide harmonization of DPO designation criteria;
- sanctions for DPO violations;
- personal liability;
- DPO expertise, skills and certifications;
- the DPO’s location;
- internal, external and part-time DPOs;
- the strategic and business enabling roles of the DPO and other non-compliance roles;
- independence, protected status and reporting to the “highest management level”;
- duties of secrecy and confidentiality;
- proper and timely DPO involvement in data processing operations;
- the DPO’s access to resources;
- conflicts of interest; and
- cooperation and consultation with DPAs and serving as a contact point for individuals.
Next, CIPL will issue a white paper on the roles of risk, high risk and Data Protection Impact Assessments under the GDPR, followed by a white paper on the roles of GDPR certifications, seals and marks. CIPL will address additional GDPR topics in the course of 2017.