The EU General Data Protection Regulation (GDPR) was enforced in May 2018 and for the first time in the EU required the appointing of a Data Protection Officer (DPO).
Appointing a Data Protection Officer is a mandatory obligation that forms a key part of the strengthened accountability responsibilities that are found in the GDPR. This is alongside with other new obligations on organizations like carrying out data protection impact assessments; implementing the principles of privacy by design and by default, and maintaining internal records of their data processing activities. Keep in mind this B2B GDPR checklist when going about collecting and processing data.
If data controllers and data processors carry out processing that involves the ‘regular and systematic monitoring of data subjects on a large scale’ or if they process sensitive personal data then they must appoint a Data Protection Officer. This will help ensure data integrity as well.
Data Protection Officer Selection
When seeking to appoint a Data Protection Officer, organizations must make their selection based on professional qualities, expertise in data protection law and the ability to fulfill the role of Data Protection Officer. The qualifications that would make a Data Protection Officer more preferred for the role is participation in EU-wide certification programs for them to demonstrate their appropriate knowledge of data protection law.
When considering candidates for the Data Protection Officer role, organizations are not limited to just staff members but may choose to appoint an outside professional to perform the role on the basis of a service contract.
If an external Data Protection Officer is selected, it will be important for organizations to ensure that the Data Protection Officer forms productive relationships with internal stakeholders and colleagues in order to adequately perform the Data Protection Officer role. Contrarily, an external Data Protection Officer perhaps has an additional façade of aloofness which an internal Data Protection Officer may not be able to demonstrate, especially if the chosen individual already has close working relationships with the stakeholders whose actions need to be monitored.
If an employee is chosen as the Data Protection Officer, nothing should prevent that individual from also performing other roles at the organization, as long as those roles do not affect their ability to adequately perform the role of Data Protection Officer. However, appointing an internal Data Protection Officer may raise issues of confidentiality and conflict of interest. To counteract this, it will be vital that organizations develop policies and procedures to manage any such issues.
Core Tasks of a Data Protection Officer
The DPO needs to embody data protection, and constantly be aware of risks. The GDPR has set out their main tasks, which include:
- Inform and give advice on the GDPR obligations to the data controller or the data processor and the employees who carry out processing;
- Monitor GDPR compliance with the policies of the data controller or data processor in relation to personal data protection, including the responsibility assignment, raising awareness and training staff that are involved in processing operations, and the related audits;
- With regards to the data protection impact assessment, provide advice where requested and monitor performance;
- Cooperate with supervisory authority;
- Act as the supervisory authority on issues relating to processing and to give consultation on any other matter.
Even though a Data Protection Officer can perform other tasks, they need to be involved in all personal data protection issues. Ensure that the Data Protection Officer independently exercises their functions and reports to the highest level of management.
The Position and Way of Working
The GDPR has set out conditions for the appointment and position of a Data Protection Officer. An organization must set out a minimum term of appointment and strict dismissal conditions for a Data Protection Officer post.
No instructions must be given to a Data Protection Officer regarding the exercise of their tasks. This issue could arise if a Data Protection Officer is told what result should be achieved, how a complaint should be investigated or whether the supervisory authority needs to be consulted. For example, the Data Protection Officer must not be instructed to take a certain view on a particular interpretation of the law.
The Data Protection Officer must report to the highest management level in the organization. The organization should ensure that the Data Protection Officer is invited to participate in senior and middle management meetings. When decisions about data protection implications are taken, the Data Protection Officer’s presence is recommended.
In order to allow a Data Protection Officer to provide adequate advice, all relevant information must be passed on in a timely manner. The opinion of the Data Protection Officer must always be given due prominence. In case there is a disagreement, document the reasons behind not following the Data Protection Officer’s advice.
Under the GDPR, the Data Protection Officer role may not be an easy one but it is surely important. There are risks associated with the position, but they can be alleviated by performing the job with integrity. The Data Protection Officer, whether you are required under the regulation to have one or not, is a critical and valued new role within the modern professional organization.