The series consists of 5 articles:
While DPOs existed long before the GDPR came into effect, the latest EU law on data protection represents the most broadly applied definition of the role. You can learn about the appointment, position and tasks of the DPO under Recital 97, along with Articles 37, 38 and 39 of the GDPR.
The DPO is a unique position, distinct from that of a Chief Information Officer (CIO), Chief Privacy Officer (CPO), and Chief Information Security Officer (CISO), or any similar senior positions for that matter. Firstly, an organisation is required to ensure that the appointee can undertake their tasks with independence and without fear of adverse consequences resulting from their decisions. In truth, a DPO may come into conflict with other departments, especially when recommending a Data Protection Impact Assessment (DPIA) is required, or when investigating a data breach.
When it comes to personal liability for data protection compliance, this does not fall on the DPO. The controller or processor remains responsible for complying with the GDPR. Nevertheless, the DPO clearly plays a crucial role in helping an organisation fulfil its data protection obligations.
In this first article, we look at how the role of the DPO evolved, its purpose and definition under the GDPR. We also identify the organisations the DPO will come into contact with from supervisory authorities (SA) such as the Information Commissioners’ Office (ICO) to industry associations.
Both public and private organisations alike will need to establish whether they require a DPO. If an appointment is not mandatory, further evaluation should be undertaken to determine if it may be useful to select a DPO on a voluntary basis.
The requirements for appointing a mandatory DPO can be found under Article 37. Public authorities and bodies are almost certainly required to do so. The determination, however, is not so obvious for commercial enterprises and will depend on the nature, size and scale of the data processing operations in place. If the core activities of a business involve regular and systematic monitoring of data subjects on a large scale, and or large scale processing of special categories of data, then they will also be required to appoint a DPO.
In reality, there are many compelling arguments for appointing a DPO voluntarily. According to the WP29 Guidelines for Data Protection Officers, the DPO is not only a cornerstone of accountability but can also help to ensure a competitive advantage. It is reasonable to assume, therefore, that assigning someone to manage data protection risk and compliance makes good business sense. In doing so, you will not only provide confidence to data owners but all key stakeholders.
In this second article, we examine the many questions surrounding whether to appoint a DPO in considerable detail. To allow for easier reading, we have separated our in-depth analysis into two sections, one for commercial organisations and the other for public authorities and bodies.
Before appointing a DPO, the executive management team will need to review how the organisation is structured to ensure that the DPO can fulfil their obligations satisfactorily. Details can be found under Article 38 of the GDPR, which outlines the position of the DPO.
The DPO should be an independent and adequately resourced position that reports to the highest management level. It also should be noted that the DPO must be free from the fear of disciplinary action when it comes to the performance of their official duties, and that they are bound by secrecy or confidentiality regarding the performance of their tasks.
The tasks of the DPO are set out in Article 39. They include informing and training employees who process personal data on GDPR matters, monitoring compliance, analysing data protection impact assessments (DPIA), and acting as the point of contact for data subjects and regulatory authorities. The DPO may be assigned other duties (such as record keeping) if there is no conflict of interest. A significant component of the DPOs role is risk management, especially concerning DPIAs.
In this third article, we look at the requirements employers face when appointing a DPO, what they should prepare for, and how to structure the position. We also introduce the areas that will require funding and resource allocation. Then to close, we outline the duties that the DPO must perform.
Having decided to appoint a DPO, finding a suitable individual for the role is crucial. Article 37 of the GDPR sets out the criteria for selecting a candidate, who can be a new or existing member of staff, a consultant, or a specialist DPO service provider. It is worth noting, the role can be part-time, and that a DPO can cover several organisations provided they are easily accessible to each.
Whatever approach you take, the person (or specialist provider) that you select must possess the necessary skills and qualifications to fulfil the tasks set out in Article 39. They will require up to date knowledge of data protection law, compliance, IT, data security and project management. An understanding of the industry sector in which the organisation operates is a must-have too.
Soft skills are an equally important consideration, as any DPO will need to be adept at navigating internal politics and dealing with strong personalities. They will be required to provide awareness training, and to play a role in negotiating GDPR compliant supply-chain contracts. The ability to confidently communicate data protection principles with multiple stakeholders will be essential.
Data protection is a rapidly evolving area with breach notifications, developments in case law, policy updates, guidance materials and other notices occurring daily. It's crucial, therefore, to find a DPO with enthusiasm, who possesses a natural desire for continuous learning and improvement.
In this fourth article, we reflect on the skills, experience and professional qualities to look for in a DPO. We look at the advantages for and against making an internal or external appointment. Finally, we identify and compare some of the terms and details to consider while drafting a contract.
While not all organisations are required to appoint a DPO, the necessity to be GDPR compliant is the same across the board. As such, any private enterprise that elects not to appoint a DPO must still have the right policies, procedures, and reporting abilities in place at all times.
Three of the most critical areas of GDPR compliance relate to data subject access requests (SAR), data breaches and DPIAs. Where a DPO is in place, they will play a large part in ensuring these challenges are dealt with correctly. However, the absence of a DPO means such occurrences will need to be overseen by other personnel, whether from within the organisation or from outside.
In this, the fifth and final article of the series, we look at these three areas in detail and offer practical steps that companies should follow when choosing not to make a DPO appointment.