A key obligation under the General Data Protection Regulation (the GDPR) is that that some data controllers and processors must appoint a Data Protection Officer (DPO).

Irish businesses must be fully compliant with the GDPR by 25 May 2018.

Do I need to appoint a DPO?

Businesses will need to decide if they need to appoint a DPO. The following entities must appoint a DPO:

  • public authorities

  • businesses that engage in large scale regular and systematic monitoring of individuals and
  • businesses that engage in large scale processing of special categories of personal data (see glossary) or data relating to criminal convictions / offences

Even if the GDPR does not require the appointment of a DPO, some businesses may appoint a DPO on a voluntary basis. The GDPR rules relating to DPOs apply whether the appointment is voluntary or mandatory. Where a business is not required to appoint a DPO and tasks a person with responsibility for GDPR compliance, care should be taken to ensure that that person is not deemed to be a DPO, as this will give rise to the additional GDPR obligations.

As stated above, all public authorities must appoint a DPO and it is possible for a single DPO to be designated for several public authorities, taking account of their organisational structure and size. It is also possible for a single DPO to represent a number of private businesses.

In Guidelines adopted on 13 December 2016 and revised on 5 April 2017, the Article 29 Working Party (Working Party) recommends that unless it is clear that a controller or processor is not required to designate a DPO, then controllers and processors should document the internal analysis carried out to determine whether or not a DPO is to be appointed in order to be able to demonstrate that the relevant factors have been taken into account properly.

What is the role of the DPO under the GDPR?

The role of a DPO is to advise the business (be it a controller or processor) on its obligations under, and to monitor compliance with, the GDPR. They will also cooperate with and act as a contact point for the Data Protection Authority. They should report to the highest management of the business, be independent and can fulfil other tasks as long as there is no conflict of interests. They should have expert knowledge of data protection law and practices. The DPO may be a member of staff or it may be outsourced. Whoever the person is, the DPO must receive sufficient resources (ranging from financial to infrastructure and staff) in order to carry out its tasks.

The DPO must be involved in all issues which relate to the protection of personal data within the business, in particular by organising training and establishing a network of persons who are aware of the data protection issues within the organisation. They are also bound by confidentiality.

DPOs are also the contact point for individuals within or outside the organisation with regard to all issues relating to the processing of their personal data and to the exercise of their rights under the GDPR.

Businesses must not interfere with the DPO and they cannot penalise or dismiss the DPO in relation to the performance of his / her tasks. It is an offence for a business not to appoint a DPO where they are obliged to do so and they may be subject to fines.