The GDPR: Data Protection Officers

Tuesday, June 20, 2017

A key new obligation under the GDPR is the requirement that certain data controllers and processors appoint a Data Protection Officer (DPO). A DPO is an individual who takes responsibility for an organisation’s data protection compliance. It is important that if required to do so, organisations have an appropriately qualified and effective DPO in place in advance of 25 May 2018.

The International Association of Privacy Professionals (IAPP) conservatively estimates that 28,000 DPOs will need to be appointed across the private sector in the EU before May 2018.

DO WE NEED TO APPOINT A DPO?

It is mandatory for certain data controllers and processors to appoint a DPO, namely:

Public Bodies (except for courts acting in their judicial capacity);
Where the core activities of the data controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale (for example, operating a telecommunications network, data-driven marketing activities, location tracking, CCTV, connected devices); or
Where the core activities of the controller or the processor consist of the processing on a large scale of special categories of personal data or personal data relating to criminal convictions and offences.

Even where the GDPR does not require the mandatory appointment of a DPO, the Article 29 Working Party (a group consisting of data protection regulators from all EU Member States, who issue influential guidance and opinions) has noted that organisations may sometimes find it useful to designate a DPO on a voluntary basis and in fact, the Article 29 Working Party encourages such
voluntary efforts. However, it is important to note that when an organisation designates a DPO on a voluntary basis, the requirements under the GDPR relating to DPOs will apply as if the designation of the DPO was mandatory.

WHAT ARE THE TASKS OF THE DPO?

The DPO must carry out at least the following tasks:

Inform and advise the organisation (and any employees who process personal data) of the obligations under the GDPR and any other EU and national data protection law;
Monitor the organisation’s compliance with the GDPR and any other EU and national data protection law
Monitor the organisation’s compliance with their own data protection policies including the assignment of responsibilities, awareness training and training of staff involved in processing operations and the related audits;
Provide advice on the completion of data protection impact assessments and prior consultation with the supervisory authority; and
Cooperate with the supervisory authority and act as the point of contact for the supervisory authority.

WHAT QUALIFICATIONS & SKILLS MUST A DPO HAVE?

The DPO should be a professional with expert knowledge of data protection law and practice. The specific level of expert knowledge required should be determined according to the data processing operations carried out by the particular organisation and the protection required for that personal data.

For example, where an organisation processes a very large amount of sensitive personal data or systemically transfers personal data outside the European Union, the DPO must have a higher level of expertise. The GDPR does not specify any particular qualifications which a DPO must hold.

As minimum, the DPO must have expertise in national and European data protection laws and practices as well as an in-depth understanding of the GDPR. It is also useful if the DPO has knowledge of the particular business sector the organisation operates within. (IAPP offers a two-stage certification for DPOs, both ISO-certified, being their Certified Information Privacy Professional/Europe (CIPP/E) and their Certified Information Privacy Professional/Management (CIPP/M).)

The Article 29 Working Party have identified particular personal qualities, such as integrity and high professional ethics, that a DPO must have so he/she is able to fulfil the tasks required under the GDPR.

THE DPO’S ROLE IN AN ORGANISATION- ENGAGING A DPO

A DPO can be an employee or an outside consultant. It is not necessary that the DPO’s sole/only function with the organisation is that of data protection. The GDPR acknowledges that a DPO may fulfil other tasks and duties within an organisation. However, if they do so, the other tasks and duties must not conflict with the DPO’s role.

It is possible for a single DPO to be appointed across a corporate group. The GDPR provides that a group of undertakings may designate a single DPO so long as he/she is easily accessible from each establishment. Similarly, the GDPR permits a single DPO to be designated for several public bodies.

PUBLICATION OF CONTACT DETAILS

The contact details of the DPO must be published. This can be achieved by publishing a postal address, dedicated telephone number and/or email address where the DPO can be reached. Separately, the name and contact details of the DPO must be provided to the supervisory authority. The objective of these publication requirements is to ensure that data subjects and supervisory authorities
can easily contact the DPO directly in relation to issues regarding the processing of personal data.

INVOLVEMENT IN ORGANISATION

One core issue is the position of the DPO within an organisation. The data controller and processor are obliged to ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protecting of personal data. The Article 29 Working Party recommends that this can be achieved by the organisation:

Inviting the DPO to participate regularly in meetings of senior and middle management.
Including the DPO in all decisions which have data protection implications, in particular, providing the DPO with all relevant information to allow him/her to consider the issue and provide adequate advice.
Affording due weight to the opinion of the DPO. In cases of disagreement, the Article 29 Working Party recommends, as a good practice, that the organisation documents the reasons for not following the DPO’s advice.
Immediately contacting a DPO once a data breach or other data protection incident has occurred.

NECESSARY RESOURCES

The organisation is obliged to provide the necessary resources to the DPO to carry out the tasks, access personal data and processing operations and maintain his or her expert knowledge. The level of resources required will depend upon the size of processing activities of the organisation.
The organisation should ensure that the DPO is provided with active support by senior management, is provided sufficient time to fulfil their tasks and provided sufficient resources (e.g. additional staff, infrastructure, financial resources) so he/she can fulfil their role.

INDEPENDENCE

The DPO must be independent. The data controller and processor cannot instruct the DPO as to how to conduct his/her tasks. Further, the DPO cannot be dismissed or penalised for performing his/her tasks.

Back To News

Author

Anne Bateman

PARTNER

Cookie	Type	Duration	Description
Necessary
cookielawinfo-checkbox-non-necessary	session	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
viewed_cookie_policy	session	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
cookielawinfo-checkbox-necessary	session	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
Analytics
_gat_gtag_UA_180138433_1	third-party	1 minute	Google uses this cookie to distinguish users.
GPS	session	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
_gid	session	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
_ga	persistent	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
Preferences
_gat_UA-25168621-1	session	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
Advertisement
VISITOR_INFO1_LIVE	third-party	5 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
IDE	persistent	2 years	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
Performance
YSC	third-party		This cookies is set by Youtube and is used to track the views of embedded videos.

Contact The Team

Subscribe

The GDPR: Data Protection Officers

Author

Anne Bateman