A key new obligation under the GDPR is the requirement that certain data controllers and processors appoint a Data Protection Officer (DPO). A DPO is an individual who takes responsibility for an organisation’s data protection compliance. It is important that if required to do so, organisations have an appropriately qualified and effective DPO in place in advance of 25 May 2018.
The International Association of Privacy Professionals (IAPP) conservatively estimates that 28,000 DPOs will need to be appointed across the private sector in the EU before May 2018.
DO WE NEED TO APPOINT A DPO?
It is mandatory for certain data controllers and processors to appoint a DPO, namely:
- Public Bodies (except for courts acting in their judicial capacity);
- Where the core activities of the data controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale (for example, operating a telecommunications network, data-driven marketing activities, location tracking, CCTV, connected devices); or
- Where the core activities of the controller or the processor consist of the processing on a large scale of special categories of personal data or personal data relating to criminal convictions and offences.
Even where the GDPR does not require the mandatory appointment of a DPO, the Article 29 Working Party (a group consisting of data protection regulators from all EU Member States, who issue influential guidance and opinions) has noted that organisations may sometimes find it useful to designate a DPO on a voluntary basis and in fact, the Article 29 Working Party encourages such voluntary efforts. However, it is important to note that when an organisation designates a DPO on a voluntary basis, the requirements under the GDPR relating to DPOs will apply as if the designation of the DPO was mandatory.
WHAT ARE THE TASKS OF THE DPO?
The DPO must carry out at least the following tasks:
- Inform and advise the organisation (and any employees who process personal data) of the obligations under the GDPR and any other EU and national data protection law;
- Monitor the organisation’s compliance with the GDPR and any other EU and national data protection law
- Monitor the organisation’s compliance with their own data protection policies including the assignment of responsibilities, awareness training and training of staff involved in processing operations and the related audits;
- Provide advice on the completion of data protection impact assessments and prior consultation with the supervisory authority; and
- Cooperate with the supervisory authority and act as the point of contact for the supervisory authority.
WHAT QUALIFICATIONS & SKILLS MUST A DPO HAVE?
The DPO should be a professional with expert knowledge of data protection law and practice. The specific level of expert knowledge required should be determined according to the data processing operations carried out by the particular organisation and the protection required for that personal data.
For example, where an organisation processes a very large amount of sensitive personal data or systemically transfers personal data outside the European Union, the DPO must have a higher level of expertise. The GDPR does not specify any particular qualifications which a DPO must hold.
As minimum, the DPO must have expertise in national and European data protection laws and practices as well as an in-depth understanding of the GDPR. It is also useful if the DPO has knowledge of the particular business sector the organisation operates within. (IAPP offers a two-stage certification for DPOs, both ISO-certified, being their Certified Information Privacy Professional/Europe (CIPP/E) and their Certified Information Privacy Professional/Management (CIPP/M).)
The Article 29 Working Party have identified particular personal qualities, such as integrity and high professional ethics, that a DPO must have so he/she is able to fulfil the tasks required under the GDPR.
THE DPO’S ROLE IN AN ORGANISATION- ENGAGING A DPO
A DPO can be an employee or an outside consultant. It is not necessary that the DPO’s sole/only function with the organisation is that of data protection. The GDPR acknowledges that a DPO may fulfil other tasks and duties within an organisation. However, if they do so, the other tasks and duties must not conflict with the DPO’s role.
It is possible for a single DPO to be appointed across a corporate group. The GDPR provides that a group of undertakings may designate a single DPO so long as he/she is easily accessible from each establishment. Similarly, the GDPR permits a single DPO to be designated for several public bodies.
PUBLICATION OF CONTACT DETAILS
The contact details of the DPO must be published. This can be achieved by publishing a postal address, dedicated telephone number and/or email address where the DPO can be reached. Separately, the name and contact details of the DPO must be provided to the supervisory authority. The objective of these publication requirements is to ensure that data subjects and supervisory authorities can easily contact the DPO directly in relation to issues regarding the processing of personal data.
INVOLVEMENT IN ORGANISATION
One core issue is the position of the DPO within an organisation. The data controller and processor are obliged to ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protecting of personal data. The Article 29 Working Party recommends that this can be achieved by the organisation:
- Inviting the DPO to participate regularly in meetings of senior and middle management.
- Including the DPO in all decisions which have data protection implications, in particular, providing the DPO with all relevant information to allow him/her to consider the issue and provide adequate advice.
- Affording due weight to the opinion of the DPO. In cases of disagreement, the Article 29 Working Party recommends, as a good practice, that the organisation documents the reasons for not following the DPO’s advice.
- Immediately contacting a DPO once a data breach or other data protection incident has occurred.
The organisation is obliged to provide the necessary resources to the DPO to carry out the tasks, access personal data and processing operations and maintain his or her expert knowledge. The level of resources required will depend upon the size of processing activities of the organisation. The organisation should ensure that the DPO is provided with active support by senior management, is provided sufficient time to fulfil their tasks and provided sufficient resources (e.g. additional staff, infrastructure, financial resources) so he/she can fulfil their role.
The DPO must be independent. The data controller and processor cannot instruct the DPO as to how to conduct his/her tasks. Further, the DPO cannot be dismissed or penalised for performing his/her tasks.