The Article 29 Working Party (WP29) has published guidance on Data Protection Officers (DPOs) for the purposes of the General Data Protection Regulation (GDPR) which applies from 25 May 2018.
What does the GDPR say?
What is a DPO?
A DPO is an independent person responsible for ensuring an organisation complies with GDPR. The DPO directs and oversees all data protection activities within a company, keeping management informed of data protection obligations, and is the primary point of contact for supervisory authorities. While some Member States are familiar with the concept of mandatory DPOs and the ICO has recommended their appointment in the UK, many UK organisations will be dealing with the concept for the first time.
Which organisations need a DPO?
Under the GDPR (Article 37(1)), it is mandatory for a data controller or processor to appoint a DPO if one of the following applies (noting that Member States have scope to extend this requirement to other circumstances):
- it is a public authority or body;
- its core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or
- its core activities consist of processing, on a large scale, sensitive data of the data subject and/or personal data relating to criminal convictions.
What does a DPO's role entail?
Article 38(3) GDPR states that controllers/processors are required to ensure that DPOs do "not receive any instructions regarding the exercise of his/her tasks." Recital 97 GDPR states that DPOs "whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner".
Article 39 GDPR sets out the core tasks of the DPO, including:
- informing and advising the controller/processor of their data protection obligations and documenting this activity and the responses received;
- monitoring the implementation and application of the controller's/processor's data protection policies, including the assignment of responsibilities, the training of staff and related audits;
- monitoring compliance with the controller's/processor's data protection obligations, in particular with regard to data protection by design, data protection by default, data security and data subject rights;
- providing advice where required on data impact assessments; and
- cooperating with a supervisory authority and acting as a point of contact.
Qualities of the DPO
Recital 97 GDPR confirms that a DPO should have expert knowledge of data protection law and practices which should assist the controller or processor to monitor internal compliance with the GDPR. Furthermore, the necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.
Article 29 Working Party Guidance
The WP29 guidance aims to clarify the relevant provisions of the GDPR (relating to appointment, position and tasks) in order to help controllers and processors comply with the law, but also to assist DPOs in their role. The guidance also makes best practice recommendations.
Voluntary appointment of DPOs
The WP29 encourages organisations which are not required to appoint a DPO under Article 37 GDPR, to appoint a DPO in any event. The GDPR (including Articles 37-39) will still govern such voluntary appointment. In the event that an organisation determines a DPO is not required, controllers/processors should document the analysis carried out, including the factors considered and the reasoning behind such decision.
Who can be appointed as DPO and what skills should they have?
DPOs should have "knowledge of the business sector and of the organisation of the controller". The function of the DPO can be exercised by "an individual or organisation outside the controller's/processor's organisation" – ensuring that "no one has a conflict of interests". As such, DPOs ought to have an understanding of both the business itself and type of work conducted by the business more generally. However, the DPO does not have to be appointed internally. The function of a DPO can be exercised on the basis of a service contract (allowing for clear allocation of tasks within a DPO team and appointment of a lead contact).
DPOs role within an organisation
The DPO should be given sufficient autonomy and resources to carry out their tasks effectively and maintain their knowledge. However, this autonomy does not mean they have decision-making powers extending beyond their tasks in Article 39 GDPR. In fulfilling their tasks, DPOs should not be instructed on how to deal with a matter or to take a specific view relating to data protection law.
The WP29 confirms that a DPO acts as an intermediary between relevant stakeholders of the business and will be responsible for facilitating compliance with the GDPR. The DPO is not, however, personally responsible for ensuring compliance. This obligation remains with the controller/processor organisation.
The WP29 confirms that the DPO must be involved in data protection issues "from the earliest stage" including in relation to privacy impact assessments, meetings of senior and middle management, data protection decisions and data breaches. In addition, the WP29 states that "the opinion of the DPO must always be given due weight" and in cases of disagreement "the organisation should document the reason for not following the DPO's advice". A DPO should, therefore, be given sufficient influence and access to the business, including in relation to management discussions. The organisation does not have to act on the DPO's recommendations, but any disagreement, and the reasons for going against a DPO recommendation, should be documented.
In terms of resources, the WP29 states that organisations must consider the following resources (with more resources being provided where the processing operations are more sensitive and/or complex):
- active support of the DPO function by senior management;
- allowing sufficient time for the DPO to fulfil their duties (including determining the time needed to carry out the function, the priority for DPO duties, and drawing up a work plan);
- support in terms of financial resources, infrastructure and staff;
- access to the business (from HR to IT) to allow the DPO to receive support, input and information;
- DPO's continuous training; and
- appointment of a DPO if necessary.
Consulting the DPO
The WP29 confirms that a DPO should be consulted when a controller is considering:
- whether to carry out a privacy impact assessment and the related methodology to use;
- whether to carry out this assessment in-house;
- whether this assessment is carried out appropriately and if the conclusions comply with the GPDR; and
- what safeguards to apply to mitigate risks to data subject rights and interests.
Further guidance on mandatory appointments
The WP29 has provided direction as to when a DPO is required by law; breaking down Article 37(1) into more detail, including when the organisation('s):
- is a "public authority or body":
- The WP29 has advised that such notion will be determined under national law, to include national, regional and local authorities as well as other bodies governed by public law.
- In relation to natural or legal persons carrying out a public task or exercising a public authority, such as public transport services, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions, the WP29 has advised that it is good practice for such organisations to appoint a DPO, and the DPO's activity should cover all processing operations carried out, including those not related to a public task or official duty.
- core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale:
- The GDPR confirms that "core activities" relate to an entity's primary activities and not to the processing of personal data as ancillary activities – i.e. the processing is inseparable to the core activity. This is further supported by the WP29, confirming that core activities are "key operations necessary to achieve the controller's or processor's goals", which does not exclude activities where the processing of data forms an inextricable part of the controller/processor's activity.
- "Regular and systematic processing" is not defined by the GDPR. However Recital 24 refers to the concept of "monitor[ing] the behaviour of data subjects". "Regular" means ongoing or occurring at intervals for a particular period, recurring or repeated at fixed times and/or constantly taking place. "Systematic” means one or more of: occurring according to a system, pre-arranged organised or methodical, taking place as part of a general plan for data collection; or carried out as part of a strategy. With that in mind, online behavioural advertising is only one example of this type of processing. Other examples include profiling for risk assessment (e.g. fraud or credit scoring), fitness and health data via wearables, CCTV and connected devices.
- The WP29 Guidance provides some factors to consider when determining whether processing is carried out on a "large scale", including:
- number of data subjects concerned (either as a specific number or as a proportion of the relevant population);
- the volume of data and/or the range of different data items being processed;
- the duration, or permanence, of the data processing activity;
- the geographical extent of the processing activity.
- large scale processing shall include (by way of example) the processing of personal data for behavioural advertising by a search engine and processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services.
- core activities consist of processing, on a large scale, sensitive data of the data subject or personal data relating to criminal convictions.
- Controllers and processors should consider whether appointment of a DPO is necessary in these circumstances. In the event a controller is required to appoint a DPO, it is good practice for a processor to also appoint one (even though not mandatory by law).
Group of undertakings and public bodies
Articles 37(2) and (3) of the GDPR state that a group or several public authorities/bodies can appoint a DPO, provided that the DPO is "easily accessible from each establishment". The WP29 confirms that this notion of accessibility relates to the DPO's ability to efficiently communicate (including in relation to languages) with data subjects, a supervisory authority and internally within each organisation of the group. The DPO must be personally available to ensure data subjects, in particular, can make contact. While the DPO is bound by confidentiality obligations, this does not prohibit the DPO from seeking advice from a supervisory authority.
Expertise and skill of the DPO
The WP29 confirms that while the DPO's level of skill is not defined, their appointment must take into consideration the type, amount, location and complexity of data held by the business (i.e. the more sensitive the data, the more skilled the DPO needs to be). DPOs should also have "experience in national and EU data protection laws and practices and in-depth understanding of the GDPR". Knowledge of the business sector, controller organisation, processing operations, information systems, data security and data protection needs of the controller are also recommended.
In terms of an ability to fulfil its tasks, a DPO should have integrity and high professional ethics and foster a data protection culture within the organisation (including in respect of the data protection principles, data subject rights, data protection by design, records of processing, security of processing and notification relating to breaches).
Publication of a DPO's contact details
The DPO's postal address, dedicated phone number and dedicated email address should be publicised. A dedicated hotline or dedicated contact form could also be used. The DPO's name is not required for the general public, but, as a matter of good practice, should be provided to a supervisory authority and employees of the organisation (e.g. on the organisation's intranet).
Dismissal of a DPO
Article 38(3) of the GDPR confirms DPOs cannot be dismissed or penalised for performing their duties. The WP29 reaffirms that a DPO cannot be dismissed for providing a dissenting opinion, or assessment that the controller or processor disagrees with. A "penalty" could range from an absence or delay in the DPOs promotion, prevention from career advancement or denial of employee benefits, and extends to a threat of a penalty as well as following through with same. A DPO can, however, be dismissed for other legitimate reasons such as theft, physical, psychological, sexual harassment or other gross misconduct.
Conflicts of interest
A DPO cannot hold a position within an organisation that leads him or her to determine the purposes and means of the processing of personal data. The WP29 guidance sets out some good practice considerations including; identifying incompatible positions, drawing up internal rules to avoid conflicts, declaration of no conflict and safeguards to ensure no conflict.