TASKS OF THE DPO
The tasks of the DPO are set out under Article 39 of the GDPR.
The data protection officer shall have at least the following tasks:
- To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- To cooperate with the supervisory authority;
- To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
- The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
The words at least are important here.
The GDPR recognises that every organisation is different; therefore, these tasks should be seen as a minimum regarding the scope of the DPOs role.
The ICO provides further information about the tasks expected of the DPO on its dedicated page for data protection officers.
Data Protection Impact Assessments
Risk management is a key part of a DPOs tasks. Therefore, the DPO needs to have access to and control over data maps, processing policies and procedure, and to be informed immediately about potential new projects and revenue streams which could involve the processing of personal data.
The WP29 DPO Guidelines state that as far as the data protection impact assessment (DPIA) is concerned, the controller or the processor should seek the advice of the DPO, on the following issues, amongst others:
- Whether or not to carry out a DPIA
- What methodology to follow when carrying out a DPIA
- Whether to carry out the DPIA in-house or whether to outsource it
- What safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects
- Whether or not the data protection impact assessment has been correctly carried out and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with data protection requirements
The ICO provides an excellent resource for data protection impact assessments on its website.
It is vital to note that as far as record keeping responsibilities go, it is for the controller or processor to ensure adequate records of processing operations are created and kept.
However, this task can be passed onto the DPO as long as overall responsibility remains with the controller or processor. These records are also essential resources for the DPO to perform their tasks of monitoring compliance, informing, and advising the controller or the processor.
As will be discussed in Appointing a DPO, to perform the tasks required, a DPO needs to be possessed with a combination of hard and soft skills.
- Hard skills - knowledge of data protection, cybersecurity, and compliance
- Soft skills - communication with multiple stakeholders simultaneously, managing conflicting objectives such as GDPR compliance versus company targets.
Being able to balance these skills and objectives is why the positioning within the organisation of the DPO is critical, to ensure they have the independence, resources, and confidence to perform their job effectively.