From May 2018, the GDPR will apply, which will require some data controllers to recruit data protection officers (DPO).
This article is to help companies in the search for a DPO, rather than describing conditions for the DPOs’ mandatory appointment.
Whether or not a company decides it needs a DPO, the reasons for this decision should be well documented as it may need to be explained to the data protection authority.
Requirements to become a DPO
The controller (and therefore the company) is liable for the DPO, so it must ensure that the DPO meets the requirements and can perform his (or her) duties properly. Unprepared or inexperienced DPOs represent an increased risk to the company's operations.
The GDPR states only that the DPO is chosen on the basis of ‘professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39’. What this actually means is not exhaustively regulated.
The DPO must have a range of minimum knowledge in
- data protection law,
- IT and cybersecurity,
- the internal processes in the company, and
- the industry in which the company operates.
The relatively few people who dealt with this before the publication of the GDPR could gain experience. However, local data protection know-how is likely to be relatively limited compared to other European countries (such as Germany, Austria and the UK), as this area has rarely been considered a priority by (local) companies in Romania.
Against this background, the candidate’s suitability for the DPO role should rather relate to the tasks involved in the job.
The main tasks of the DPO in a company are:
- Advice on data protection, and monitoring compliance with the GDPR.
For this the DPO needs access to all information and processes in the company. He must analyses them and identify any risks, and make suggestions to minimize risk (for example, the deletion of non-essential personal data, restricted access to information, pseudonymizing of personal data, etc.). He must also check compliance with internal procedures and suggestions.
- Privacy impact assessment
The company must also undertake a privacy impact assessment if ‘a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons’. For this it must consult the DPO (if ordered).
WP 29 (an independent European Commission privacy advisory body) recommends that the DPO should comment on:
- whether a privacy impact assessment should be carried out,
- how this should be done (with own staff or externally),
- the safety precautions to be taken,
- regularity of the data protection impact assessment,
- recommendations, etc.
Failure to comply with the recommendations of the DPO must be justified by the company in writing.
- Cooperation with the supervisory authority
The DPO is the contact point for the supervisory authority. He provides it with all the information requested in the course of investigations, and can ask the authority to comment on certain topics. It is important that the DPO is familiar with the company and is also experienced in crisis management (eg. investigations by the supervisory authority, or security incidents).
In some cases, the DPO may also perform additional tasks, such as managing the register of processing operations. Although this is actually the responsibility of the data controller, it is close enough to the DPO’s duties to make the DPO qualified for the task.
The DPO must be a person of trust for the company in respecting the rights and freedoms of natural persons. The main motivation should not be avoiding fines, but compliance with the GDPR to protect the privacy of employees and other individuals. Particularly important is the cooperation between the DPO and the various departments in the company.