Ok, obviously your GDPR project is in full swing, you know the impact on your organisation, you’ve made the plans to keep compliant, the education of the workforce is in full effect and now you are down to the last few tasks before this can all be put to bed and job done and on to the next big thing. Does that sound like your world? No? Ok, little secret here is you are not the only one in that situation, truth is that most have done nothing, some are beginning to start and the few have been mobilising for a while and are working through their GDPR project.
One area that keeps cropping up in conversations with clients around GDPR is the whole Data Protection Officer (DPO) thing, most organisations we speak to don’t currently have one and are trying to work out where the position best sits within the existing structures, but the reality is that most are struggling to find the head that fits the hat.
Let’s be clear, the DPO is a serious position, this role will be critical to enabling companies of having a fighting chance of getting to grips with the new regulation and importantly providing the oversight for the continued monitoring of compliance to it, so let’s just take a quick look at some of the requirements and attributes of the Data Protection Officer, Articles 37,38 and 39 covers off the main elements around DPO..
…”this role will be critical to enabling companies of having a fighting chance of getting to grips with the new regulation”
So lets focus on human nature, never mind what I could do, when MUST you appoint a DPO? Article 37 states that under the GDPR, you must appoint a data protection officer (DPO) if you:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
It should also be noted that member states can also decide additional laws for the mandatory appointment for DPOs.
So, if you don’t fit into the above then you don’t need to mandatory appoint a DPO, but it is probably a wise thing not to cross it off your list, not having a DPO doesn’t mean you have absolved yourself of the responsibilities of the position. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.
Some of the more flexible considerations are;
- You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size.
- Take the DPO on the basis of a service contract
Whichever method you choose to fulfil the requirements of a DPO you must publish the contact details of the DPO and communicate them to the supervisory authority. A key consideration for how you decide to approach this is in the requirement in Article 37 Clause 5 – “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
Article 38 concentrates on the Position of the Data Protection Officer and this states;
Controllers and Processors shall;
- Ensure the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
- Shall support the DPO in performing the tasks (article 39 has these) by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain their expert knowledge
- Ensure the DPO does not receive any instructions regarding the exercise of those tasks. The DPO will not be dismissed or penalised by the controller or processor for performing their tasks
- Report directly to the highest management level
- Be contactable by Data Subjects with regard to all issues related to the processing of personal data and to the exercise of their rights (that’s the data subject) under the Regulation
- Be bound by secrecy or confidentiality concerning the performance of their tasks, in accordance with Member State Law.
- Be able to perform other tasks, but there must be no tasks or duties that result in a conflict of interests.
Ok, so it is pretty clear that the DPO position requires a particular set of skills that are not always that accessible within an organisation, equally the position needs access to the highest management and actually have the rights of the data subjects at the forefront of their thoughts when dispensing their duties. Organisations are going to have to perform in a very mature manner to ensure that the role has the independence required to operate without interference and ensure adherence to the regulation. The key point of a lack of conflict of interests precludes many existing positions (such as those responsible for security) from being appointed to the role in addition to their other duties.
Whilst discussing duties, here are the task of the DPO as defined by Article 39 of the regulation;
The data protection officer shall have at least the following tasks:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Ok, so time to draw breath, in an attempt to elevate the discussion here is the headline news version of all the above;
- DPO isn’t mandatory for all, but against the backdrop of the above is it something that can just be attended to on an as and when basis?
- The skills required to dispense the role are not typically found in one person, there is the need for legal/regulation/compliance knowledge but equally once the privacy elements are covered off you still have significant requirements to oversee areas that will involve technology.
- The independence of the role makes it a difficult one to resource internally without falling foul of the “conflict of interests”, DPO’s appointed from within might want to expect fewer invites to Christmas parties…
Maybe when you step back it isn’t that surprising that many organisations have struggled to identify where this naturally sits because in most companies it doesn’t have a natural resting place because it presents such a fundamentally different approach, essentially it is an internal guardian of data subjects rights, as opposed to protecting the organisation it works for in the first instance. In time organisations will evolve with this, but it is a massive jump for many at this stage.
It is our belief that many will look to resource this externally, with a DPO as a Service (DPOaaS), as it avoids many of the struggles of resourcing internally, that is why we have created a dedicated service team focussed solely on DPOaaS. We have combined the Regulatory expertise with Compliance responsibility and integrated technology thought leadership to create a uniquely focussed service designed to interface with our clients to provide excellence in Data Protection Officer delivery.