In anticipation of the coming into effect of the General Data Protection Regulation (the “GDPR”) on 25 May 2018, the Article 29 Data Protection Working Party (the “Working Party”) has released Guidelines on Data Protection Officers (the “Guidelines”). For many stakeholders Data Protection Officers (“DPOs”) will play a central role under the GDPR and will be a key component in ensuring compliance with the new legal framework. Organisations should be cognisant of both the circumstances which require the appointment of a DPO and the best practice recommendations outlined by the Working Party.
When is a Data Protection Officer required?
Article 37(1) of the GDPR sets out three cases in which a DPO must be appointed;
- where the processing is carried out by a public authority or body;
- where the core activities of the controller or of the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or,
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
The Working Party recommends that organisations appoint a DPO unless it is evident that their processing activities fall outside the scope of the above categories. An organisation may also designate a DPO on a voluntary basis. In such a case the requirements of the GDPR applicable to DPOs whose appointment was mandatory will apply.
The GDPR refrains from defining the meaning of “public authority or body”. The Guidelines indicate that the term includes national, regional and local authorities but its scope will ultimately be determined by the national laws of the Member States.
According to the Working party the “core activities” of an organisation are the key operations required to achieve the organisation’s goals. Examples of organisations whose core activities consist of processing operations necessitating regular and systematic monitoring of data subjects include hospitals and private security companies which engage in surveillance of private and public areas.
When ascertaining whether data is processed on a large scale, organisations are advised to consider factors such as the number of data subjects, the volume of the processed data, and the duration and geographical extent of the processing activities.
What is the role of a Data Protection Officer?
The main role of the DPO is to assist the data controller or processor in monitoring compliance with the GDPR. In order to efficiently monitor an organisation’s compliance, it is important that the DPO is in a position to collect information to enable the identification of processing activities, to analyse the compliance of processing activities with the provisions of the GDPR and to inform and advise the data controller or processor.
The Guidelines highlight the importance of the involvement of the DPO in all matters relating to the protection of personal data within the organisation. The DPO should be invited to participate in management meetings and to give an opinion on data protection matters. In case the management of the organisation decides not to follow the advice of the DPO, the Working Party recommends that the reasons for that are duly documented.
The DPO must be given sufficient time, financial resources, facilities and staff to perform his or her tasks, to access personal data and processing operations and to maintain his or her expert knowledge.
The DPO’s independence is paramount to the performance of his or her tasks. DPOs should report to the highest management level in the organisation and should be free to express a dissenting opinion. This is why the GDPR provides that no penalties may be imposed on a DPO as a result of the carrying out of his or her duties as such. In addition, the DPO is not personally responsible for the organisation’s non-compliance with data protection requirements.
Points to watch:
In terms of future compliance and given the exposure to significant administrative fines under the GDPR, it is essential for organisations to ascertain whether they are required to appoint a DPO. If not required, it is advisable to consider whether the appointment of a DPO would nevertheless be beneficial to the organisation. When designating a DPO, organisations should be satisfied that the individual in question possesses sufficient knowledge, skills and expertise to monitor the organisation’s compliance. Finally, organisations should ensure that the DPO is provided with sufficient support and resources to effectively carry out its duties under the GDPR and that his or her independence is guaranteed.