The General Data Protection Regulation (GDPR) came into force on 25 May 2018 bringing with it new, more comprehensive laws. One of the biggest changes is the mandatory appointment of a Data Protection Officer (DPO) for certain companies that process personal data. However, with change comes uncertainty and for some controllers it is unclear how a DPO’s day-to-day responsibilities will play out. Will companies embrace their DPOs with open arms or will they treat them with some trepidation: is the DPO a friend or a foe?
When is a DPO needed?
The GDPR prescribes the appointment of a DPO for the following:
1) Public authorities;
2) Private entities whose core activities involve the systematic monitoring of individuals; examples of systematic monitoring include location tracking or behavioural advertising and
3) Entities which process either large amounts of special categories of personal data or personal data related to convictions and offences.
Any entity falling within these criteria will require a DPO, irrespective of whether they act as a processor or a controller. All other companies are not obliged to appoint a DPO but may still do so voluntarily. This move may serve to improve an entity’s reputation in demonstrating its willingness to self-regulate and a commitment to improving data protection for its customers and employees.
What responsibilities does a DPO have?
The DPO will have both operational tasks (ensuring compliance with data processing obligations, safeguarding the rights of the data subject, as well as security and breach protocols) and advisory tasks (consisting of training staff and responding to queries). The DPO will also be responsible for completing Data Protection Impact Assessments (DPIAs) which are designed to determine the level of risk to data posed by specific projects. Completing DPIAs will help the DPO to identify procedures militating against such risks.
Who should the DPO be and where should she sit within the organisation?
The DPO should have extensive knowledge of both national and European data protection laws, and the application of those laws within the industry to which they are appointed. It is important to note that this is not a junior position and that the DPO should report directly to the board of directors. A DPO needn’t be assigned to each entity within a corporate group; it is possible for one (with sufficient resources) to be centrally appointed to oversee a group of companies. However, a centralised DPO must be easily accessible by each entity within the group. Central supervision should help the DPO to deal with issues, such as reputational risks, which may have repercussions beyond a particular body corporate or its locality.
If a possible data breach were to occur, the entity must ensure that the DPO is involved in a proper and in a timely manner. Liability under the GDPR rests with the controller or processor in question, rather than the DPO who is independent from the body corporate. It is therefore in the best interests of a concern to facilitate a DPO’s work; in fact, obstructing the DPO from doing his/her job may result in a GDPR breach.
The GDPR requires a DPO to be accessible, both to individuals (i.e. employees and data subjects) and to the relevant supervisory authorities. She must be able to deal with issues arising in various jurisdictions and thus be aware of specific requirements under national laws and be able to cooperate with a local regulator.
The DPO may be appointed internally as a permanent member of staff, or externally by way of a service contract. If an entity opts to instruct an external DPO, it is more likely that they will be working with a team of individuals. If this is the case, the roles of each individual team member should be communicated to the entity at the outset.
Positive or negative?
Other departments may view the DPO as an obstructive force inhibiting their activities. This could encourage a hostile environment within which the DPO may be improperly penalised for doing his/her job. This situation is not only undesirable but, as discussed above, may in itself constitute a breach of the GDPR. This does not mean that a DPO is beyond reproach; a DPO can still be dismissed or sanctioned on other grounds. For instance, he or she can still be held liable under national criminal or labour laws.
Due to the technical nature of data processing, companies may not have been aware of particular risk exposure points prior to appointing their DPO. However, companies will now have a force dedicated to the mitigation of such risks. A DPO can help by mapping data flows and assessing the gaps to identify vulnerabilities and implement improvements. It is certainly more advantageous to be aware of risk than to be ignorant of it.
A DPO fulfils a myriad of tasks within an organisation. She should be seen as helping the business to improve in a compliant manner rather than as an obstacle to business. DPOs add value to businesses and such a value is not limited to the situations in which the GDPR mandates their appointment.