Tuesday, June 20, 2017
A key new obligation under the GDPR is the requirement that certain data controllers and processors appoint a Data Protection Officer (DPO). A DPO is an individual who takes responsibility for an organisation’s data protection compliance. It is important that if required to do so, organisations have an appropriately qualified and effective DPO in place in advance of 25 May 2018.
The International Association of Privacy Professionals (IAPP) conservatively estimates that 28,000 DPOs will need to be appointed across the private sector in the EU before May 2018.
DO WE NEED TO APPOINT A DPO?
It is mandatory for certain data controllers and processors to appoint a DPO, namely:
Even where the GDPR does not require the mandatory appointment of a DPO, the Article 29 Working Party (a group consisting of data protection regulators from all EU Member States, who issue influential guidance and opinions) has noted that organisations may sometimes find it useful to designate a DPO on a voluntary basis and in fact, the Article 29 Working Party encourages such
voluntary efforts. However, it is important to note that when an organisation designates a DPO on a voluntary basis, the requirements under the GDPR relating to DPOs will apply as if the designation of the DPO was mandatory.
WHAT ARE THE TASKS OF THE DPO?
The DPO must carry out at least the following tasks:
WHAT QUALIFICATIONS & SKILLS MUST A DPO HAVE?
The DPO should be a professional with expert knowledge of data protection law and practice. The specific level of expert knowledge required should be determined according to the data processing operations carried out by the particular organisation and the protection required for that personal data.
For example, where an organisation processes a very large amount of sensitive personal data or systemically transfers personal data outside the European Union, the DPO must have a higher level of expertise. The GDPR does not specify any particular qualifications which a DPO must hold.
As minimum, the DPO must have expertise in national and European data protection laws and practices as well as an in-depth understanding of the GDPR. It is also useful if the DPO has knowledge of the particular business sector the organisation operates within. (IAPP offers a two-stage certification for DPOs, both ISO-certified, being their Certified Information Privacy Professional/Europe (CIPP/E) and their Certified Information Privacy Professional/Management (CIPP/M).)
The Article 29 Working Party have identified particular personal qualities, such as integrity and high professional ethics, that a DPO must have so he/she is able to fulfil the tasks required under the GDPR.
THE DPO’S ROLE IN AN ORGANISATION- ENGAGING A DPO
A DPO can be an employee or an outside consultant. It is not necessary that the DPO’s sole/only function with the organisation is that of data protection. The GDPR acknowledges that a DPO may fulfil other tasks and duties within an organisation. However, if they do so, the other tasks and duties must not conflict with the DPO’s role.
It is possible for a single DPO to be appointed across a corporate group. The GDPR provides that a group of undertakings may designate a single DPO so long as he/she is easily accessible from each establishment. Similarly, the GDPR permits a single DPO to be designated for several public bodies.
PUBLICATION OF CONTACT DETAILS
The contact details of the DPO must be published. This can be achieved by publishing a postal address, dedicated telephone number and/or email address where the DPO can be reached. Separately, the name and contact details of the DPO must be provided to the supervisory authority. The objective of these publication requirements is to ensure that data subjects and supervisory authorities
can easily contact the DPO directly in relation to issues regarding the processing of personal data.
INVOLVEMENT IN ORGANISATION
One core issue is the position of the DPO within an organisation. The data controller and processor are obliged to ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protecting of personal data. The Article 29 Working Party recommends that this can be achieved by the organisation:
The organisation is obliged to provide the necessary resources to the DPO to carry out the tasks, access personal data and processing operations and maintain his or her expert knowledge. The level of resources required will depend upon the size of processing activities of the organisation.
The organisation should ensure that the DPO is provided with active support by senior management, is provided sufficient time to fulfil their tasks and provided sufficient resources (e.g. additional staff, infrastructure, financial resources) so he/she can fulfil their role.
The DPO must be independent. The data controller and processor cannot instruct the DPO as to how to conduct his/her tasks. Further, the DPO cannot be dismissed or penalised for performing his/her tasks.