GDPR: Data Protection Officers28 May, 2018
A Data Protection Officer (“DPO”) is the person responsible within an organisation for monitoring and facilitating its compliance with the GDPR. The DPO (whether an employee or contractor) must report to the highest level of management and, where appointed, will have a specific role to fulfil within the context of the GDPR. This is described further below.
Appointing a data protection officer
Mandatory Requirement. The GDPR provides for the mandatory designation of a DPO for a controller or a processor in the following circumstances:
a. where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
b. where the core activities consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
c. where the core activities consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
For these purposes, core activities would relate to the primary activities of an organisation, the key operations necessary to achieve its objectives or main business. This would also extend to and capture all activities where the processing of data forms an inextricable part of the organisation’s activity. In the private sector, the core activities of a controller relate to its primary business activities and do not relate to the processing of personal data as ancillary activities.
Large Scale Processing
Although the GDPR does not define what constitutes “large scale” processing, the European Union’s working party in relation to data processing has issued guidance on this point. To this end, it recommends that the following factors be taken into account when determining whether the processing constitutes processing of personal data on a large scale:
• the number of data subjects concerned – either as a specific number or as a proportion of the relevant population
• the volume of data and/or the range of different data items being processed
• the duration, or permanence, of the data processing activity
• the geographical extent of the processing activity.
Role of the DPO
Where appointed, the DPO should be involved from the earliest possible stage in all issues relating to the protection of personal data. With regard to data protection impact assessments, for example, the GDPR provides for the early involvement of the DPO and requires the controller to seek the advice of the DPO when carrying out such assessments.
The controller or processor is required to ensure that its DPO has a sufficient degree of autonomy and does not receive any instructions regarding the exercise of his or her tasks under the GDPR. This means the DPO, in the fulfilment of his/her tasks under the GDPR (as set out below) must not be instructed how to deal with a matter, for example, what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority. Further, the DPO must not be instructed to take a certain view of an issue related to data protection law, for example, a particular interpretation of the law.
The DPO will be bound by secrecy or confidentiality in relation to the performance of his or her tasks and will have a duty to ensure that the performance of such tasks or duties does not result in a conflict of interest.
Also of note, the DPO may not be dismissed or penalised by the controller or the processor for performing his or her tasks under the GDPR, and must directly report to the highest management level of the controller or the processor. The controller or processor concerned will ultimately be responsible for its compliance with the GDPR.
Responsibilities of the DPO (Tasks)
The GDPR specifically sets out the tasks of the DPO as follows:
a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the GDPR and to other Union or Member State data protection provisions;
b) to monitor compliance with the GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
c) to provide advice where requested as regards data protection impact assessments and monitor their performance;
d) to cooperate with the supervisory authority;
e) to act as the contact point for the supervisory authority on issues relating to processing, and to consult, where appropriate, with regard to any other matter.
The DPO’s role in monitoring GDPR compliance
As part of a DPOs duty to monitor the controller or processor’s compliance with the GDPR, he/she may:
• collect information to identify processing activities,
• analyse and check the compliance of processing activities, and
• inform, advise and issue recommendations to the controller or the processor.
The controller, and not the DPO, is required to implement appropriate measures under Article 24 (1) of the GDPR to ensure lawful processing. As mentioned above, the GDPR provides that the DPO will not be personally responsible in an instance of non-compliance. Data protection compliance is a corporate responsibility of the controller, and not the DPO.
The DPO and data protection impact assessments
With regard to data protection impact assessments (“DPIA”), again it is the responsibility of the controller, and not the DPO, to carry out a data protection impact assessment. A controller must nonetheless seek the advice of a DPO when carrying out a DPIA, including advice in relation to the following:
• whether or not to carry out a DPIA;
• what methodology to follow when carrying out a DPIA;
• whether to carry out the DPIA in-house or whether to outsource it;
• what safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects; and
• whether or not the DPIA has been correctly carried out and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with the GDPR.
If the DPO’s advice on the above points has not been taken into account by the controller, or if the controller disagrees with the DPO’s advice for any reason, the reasons for this must be clearly outlined in the DPIA documentation.
As to the level of expertise required by a DPO, this is not explicitly stated in the GDPR, it is acknowledged, however, that a DPO’s expertise should be “commensurate with the sensitivity, complexity and amount of data an organisation processes.”
This means that where a large amount of personal data is being processed, or if the data processing activity is particularly complex, the DPO may require a higher level of expertise or support from the controller. Whether the controller regularly transfers data outside of the European Union will also relevant for these purposes.
It is, however, recommended that a DPO should possess an expertise in national and European data protection legislation and policies and should have an in depth knowledge and understanding of the GDPR. It is also useful if the DPO understands the business sector and the controller’s organisation and business practices.
The Company will be required, for its GDPR compliance purposes, to demonstrate that it has considered whether a DPO is required to be appointed and how it came to its decision as to whether to appoint a DPO or another responsible person. This should be documented by the Company.
[In our view, the Company, based on the information available to us at the date of this note, falls outside of scope of the mandatory requirement to appoint a DPO. It may nonetheless choose to do so. In the event the Company does not appoint a DPO, it should designate another responsible person or persons to monitor GDPR compliance and deal with queries relating to the processing of personal data within the organisation.]