The Data Protection Officer (DPO) role is an important GDPR innovation and a cornerstone of the GDPR’s accountability-based compliance framework. In addition to supporting an organisation’s compliance with the GDPR, DPOs will have an essential role in acting as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organisation).
The DPO will have professional standing, independence, expert knowledge of data protection and, to quote the GDPR, be ‘involved properly and in a timely manner’ in all issues relating to the protection of personal data.
The DPC recommends that all organisations who will be required by the GDPR to appoint a DPO should do this as soon as possible and well in advance of May 2018. With the authority to carry out their critical function, the Data Protection Officer will be of pivotal importance to an organisation’s preparations for the GDPR and meeting the accountability obligations.
A DPO may be a member of staff at the appropriate level with the appropriate training, an external DPO, or one shared by a group of organisations, which are all options provided for in the GDPR.
It is important to note that DPOs are not personally responsible where an organisation does not comply with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is in accordance with the GDPR. Data protection compliance is ultimately the responsibility of the controller or the processor.
Public authorities and bodies include national, regional and local authorities, but the concept typically also includes a range of other bodies governed by public law.
It is recommended, as a good practice, that private organisations carrying out public tasks or exercising public authority should designate a DPO.
Core activities can be defined as the key operations necessary to achieve an organisation’s (controller or processor’s) goals. For example, a private security company which carries out surveillance of private shopping centres and/or public spaces using CCTV would be required to appoint a DPO as surveillance is a core activity of the company. On the other hand, it would not be mandatory to appoint a DPO where an organisation undertakes activities such as payroll and IT support as, while these involve the processing of personal data, they are considered ancillary rather than core activities.
While the GDPR does not define large-scale the following factors should be taken into consideration;
Examples of large-scale processing include:
Examples that do not constitute large-scale processing include:
Regular and systematic monitoring should be interpreted, in particular, as including all forms of tracking and profiling on the internet, including for behavioural advertising. However, the definition of monitoring is not restricted to the online environment. Online tracking is just one example of monitoring the behaviour of individuals.
‘Regular’ is interpreted by the Working Party 29 (comprising the EU’s data protection authorities) as meaning one or more of the following:
‘Systematic’ is interpreted as meaning one or more of the following:
Examples would likely include operating a telecommunications network; data driven marketing activities; profiling and scoring for purposes of risk assessment (eg fraud, credit scoring, insurance premiums); loyalty programmes, CCTV, and connected devices (eg smart cars)
Special Categories of Data – these include personal data revealing; racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation or personal data relating to criminal convictions and offences.
Further information and guidance on the Data Protection Officer role is set out in the guidelines of the Working Party 29. In particular, these guidelines set out the position of the EU’s data protection authorities on matters such as:
Article 37.5 of the GDPR provides that a Data Protection Officer “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
The GDPR does not define the professional qualities required or prescribe the training a DPO should undergo to be qualified to undertake the role. This allows organisations to decide on their DPO’s qualifications and training tailored to the context of the organisation’s data processing.
The appropriate level of qualification and expert knowledge should be determined according to the personal data processing operations carried out, the complexity and scale of data processing, the sensitivity of the data processed and the protection required for the data being processed.
For example, where a data processing activity is particularly complex, or where a large volume or sensitive data is involved (i.e. an internet or insurance company), the DPO may need a higher level of expertise and support.
Relevant skills and expertise include: expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR; understanding of the processing operations carried out; understanding of information technologies and data security; knowledge of the business sector and the organisation; and ability to promote a data protection culture within the organisation. For example, a DPO may need an expert level of knowledge in certain specific IT functions, international data transfers, or familiarity with sector-specific data protection practices such as public sector data processing and data sharing, to adequately perform their duties.
Taking into account the scale, complexity and sensitivity of their data processing operations, organisations should proactively decide on the qualifications and level of training required for their Data Protection. Officer.
In undertaking such an assessment, organisations should be aware that there are various training options that may be pursued. Some training courses are one-day sessions, while some are online only. Others lead to academically
accredited certificates such as diplomas from national law societies. There are also other professional training programmes which are recognised internationally and that offer professional qualifications that require an ongoing commitment to training in order to maintain the professional qualification.
The Data Protection Commissioner recommends that the following non-exhaustive list of factors be taken into consideration when selecting the appropriate DPO training programme:
In any case, a Data Protection Officer should have an appropriate level of expertise in data protection law and practices to enable them to carry out their critical role.
It is important to take into account that while a DPO is permitted to fulfil other tasks and duties, the organisation is required to ensure that any such tasks and duties do not result in a conflict of interests. This is essential to protecting the independence of the DPO. In particular, it means that a DPO cannot hold a position in an organisation where they have the authority to decide the purposes for which personal data is processed and the means by which it is processed.
While each organisational structure should be considered case by case, as a rule of thumb, conflicting positions within an organisation may include senior management positions such as chief executive, chief operating/financial/medical officer, head of HR or head of IT). The WP 29 guidelines address this matter in further detail.
Organisations will be required by the GDPR to publish contact details of the DPO and to communicate these details to the relevant data protection authority. The purpose of this requirement is to ensure that individuals (internal and external to the organisation) and the data protection authority can easily and directly contact the DPO without having to contact another part of the organisation. Further guidance is included in the WP 29’s guidelines.
To assist organisations in communicating the contact details of their DPO to the Data Protection Commissioner, an online portal on the DPC website is being developed and will be rolled out in 2018.