The General Data Protection Regulation (GDPR) introduced the figure of the "Data Protection Officer" ("DPO"), which already exists in some European legal systems such as Germany, Austria, and the Czech Republic. Its primary goal is to ensure the appropriate management of personal data in companies and public bodies, in a way that complies with legal provisions.
Essential instructions on DPO have been provided by the Article 29 Data Protection Working Party (now "European Data Protection Board") through the "Guidelines on Data Protection Officers."
In this article, we would like to analyze its role and responsibility in detail.
The criteria on the mandatory designation
The GDPR requires the designation of a DPO in three specific cases:
a) where the processing is carried out by a public authority or body;
b) where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data (e.g., genetic data, data concerning health, etc.) or personal data relating to criminal convictions and offenses.
Note that Union or Member State law may require the designation of DPOs in other situations as well.
Even where the appointment of a DPO is not mandatory, it may be useful to proceed with it on a voluntary basis. It is especially important in all cases where, in the exercise of processing activities, there are risks to the rights and freedom of individuals (per accountability principle).
The DPO is a person with a mixed role of advice and control, and he/she shall have at least the following tasks:
1. to inform and advise the controller or the processor and the employees who carry out the processing of their obligations according to this Regulation and to other Union or Member State data protection provisions;
2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with data protection policies, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits. These compliance monitoring tasks include:
- collect information to identify processing activities
- analyze and check the compliance of processing activities
- inform, advise and issue recommendations to the controller or the processor.
3. to provide advice where requested as per the Data Protection Impact Assessment (DPIA) and monitor its performance;
4. to cooperate with the Supervisory Authority;
5. to act as the contact point for the supervisory authority on issues relating to processing, and to consult, where appropriate, about any other matter.
The GDPR requires DPOs to prioritize their activities and focus their efforts on issues that present higher data protection risks and may be delegated to her/him to manage the record of processing activities.
Besides, the DPO shall be involved, correctly and promptly, in all issues which relate to the protection of personal data and the organization should ensure that:
1. The DPO regularly participates in meetings of senior and middle management.
2. The DPO is present at the meetings where decisions with data protection implications are taken.
3. The opinion of the DPO must always be given due weight. In case of disagreement, the WP29 recommends, as good practice, to document the reasons for not following the DPO's advice.
4. The DPO must be consulted once a data breach or another incident has occurred.
Expertise and Skills
According to WP29, the choice of this role will have to be made with attention, verifying the possession of skills and expertise, adequately considering the specific data protection issues of each individual organization.
Relevant skills and knowledge include:
1. knowledge in national and European data protection laws and practices including an in-depth understanding of the GDPR;
2. understanding of the processing operations carried out;
3. understanding of information technologies and data security;
4. knowledge of the business sector and the organization;
5. ability to promote a data protection culture within the organization.
Conflict of interests
The absence of a conflict of interest is essential. It means that, in case of internal designation, the DPO cannot hold a position within the organization that leads him or her to determine the purposes and the means of the processing of personal data.
The WP29 states that conflicting positions within the organization may include senior management positions (such as CEO, COO, CFO, Chief Medical Officer, Chief Marketing Officer, Head of Human Resources, or Head of IT department). It also applies to other roles in the organizational structure if they lead to the determination of purposes and means of processing.
Article 38(3) requires that DPOs should "not be dismissed or penalized by the controller or the processor for performing [their] tasks." This requirement strengthens the autonomy of DPOs and helps ensure that they act independently and have sufficient protection in performing their data protection tasks.
For example, a DPO may consider that processing is likely to result in high risk and advise the controller or the processor to carry out a data protection impact assessment. If the controller or the processor does not agree with the DPO's assessment, the DPO cannot be dismissed for providing this advice.
Non-designation in mandatory cases may lead to the application of a fine of up to EUR 10 million (or up to 2 % of the total worldwide annual turnover of the preceding financial year).
External or internal DPO?
The DPO may be a staff member of the controller or the processor (internal DPO) or fulfill the tasks based on a service contract.
In this latter case, it means that the DPO can be external, and his/her function can be exercised based on a service contract with an individual or an organization as a specialized consulting company.
If the DPO function is carried out by an external service provider, the relevant tasks can be effectively performed by a team with a specific internal structure.
The creation of a team to support the DPO could be particularly useful in complex contexts or corporate groups. Each member of the team must meet all applicable requirements, as outlined in Section 4 of the GDPR.
The great benefits of an external DPO
The DPO shall be designated based on professional qualities and expert knowledge of data protection law and practices and the ability to fulfill his or her tasks.
There are numerous benefits to outsourcing DPO. Below we have highlighted what we consider to be the top 10.
1. Service available 24/7
2. Application of best practice in achieving and maintaining compliance
3. The highest specialist knowledge of data protection legislation and technological aspects
4. No conflict of interest between the DPO and other business activities
5. Combination of more skills and more people working in a team
6. Extensive knowledge of the market and similar businesses
7. Low cost compared to an internal DPO
8. Independent experts
9. No training required
10. Expertise suited to your needs
In conclusion, businesses must be thorough while assigning a person to the DPO role.
Therefore, appointing an external DPO is the best choice, and it means recruiting a professional team with multidisciplinary knowledge. The professionals will oversee all aspects related to the processing of personal data, able to support businesses consistently and improve compliance. This case is ideal for fulfilling regulatory obligations and implementing the GDPR principles.
Advantio's team of experts have helped many organizations to achieve and maintain compliance. If you are considering getting an external DPO, get in touch with us to book a free call.