The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. Data protection officers (DPOs) will be at the core of this new legal framework for many organisations.
Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. This will be the case for all public authorities and bodies (irrespective of what data they process). It will also be mandatory for other organisations that, as a core activity, monitor individuals systematically and on a large scale, or process special categories of personal data on a large scale.
Even when the GDPR does not specifically require the appointment of a DPO, organisations may designate a DPO on a voluntary basis.
If you get asked to be a DPO, what do you need to be aware of? Firstly, you should read a copy of the GDPR and the "Guidance on DPOs" issued by the Article 29 Working Party on 13 December 2016 (the Guidance). This article provides a general summary of what a DPO role involves and some comments and observations of the author.
Some of the key tasks of the DPO include:
As you can see, the role is multi-faceted. The requirement for DPOs to advise on the obligations under the GDPR is a legal role while monitoring compliance is an audit role. In addition, the data protection impact assessment is a privacy specialist role, and working with the supervisory authority is a professional relationship role requiring understanding of the how the supervisory authority works.
Article 38(1) states: "The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data." This is likely to require DPOs to undertake the difficult balancing act of having a good rapport with the controllers and processors, while still keeping a professional detachment.
With the right balance, the DPO will be included all of the time, not just when strictly required. The DPO may be dealing with controllers and processors from different countries and therefore business cultures. Consequently, they will need to have experience in dealing with different ways of thinking and doing business, and they should also have the flexibility to understand and leverage these differences into a successful result.
Under Article 38.4: "Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation." What this means in practice is that DPOs will need to be able to understand and speak in the language of the country the data subject is from.
Article 35.2 of the GDPR states that: "The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment." This means that DPOs will need to have significant experience with assessing privacy and security risks and impacts, and in proposing and implementing mitigations to the identified privacy and security risks. In addition, the position of giving advice requires both professional advisory and client relationship skills to ensure that controllers continue to seek such advice.
Article 37(1) states: "The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner."
This means that under the GDPR the DPO must know the data protection law to a level of expertise, which will vary depending upon the type of processing carried out and the protections required. This will require DPOs to have experience not only of the GDPR and other relevant EU legislation – for example, the E-Privacy Directive – but also of all other privacy and related laws in those jurisdictions where their organisation does business, and where it outsources any operations involving the processing of personal data. They must also have the integrity and ability, based on experience, to act in an independent manner. Consequently, a mature professional with entrepreneurial, client relationship, and leadership experience is needed, who can handle the delicate task of discovering gaps, encouraging gap mitigation, and ensuring compliance without taking an adversarial position.
Under Article 37(5): "The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39."
This could mean that DPOs need to have the combined skills and experience of what are typically separate roles, such as a relationship manager, a corporate legal counsel, an IS auditor, and an IT specialist.
Article 39(2) states: "The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing."
Under this Article, DPOs will also need to have a good understanding of risk in relation to privacy and information security and risk methodologies in general. More specifically, they will need to understand risk as it relates to the specific industry the data controller is engaged in, as well as to their specific products and services, both planned and current. And because these risks will constantly be evolving, the DPO will need to demonstrate awareness of changes to the threat landscape and fully comprehend how emerging technologies will alter these risks.
Article 38(3) establishes some basic protections to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation. Specifically, that controllers/processors are required to ensure that the DPO "does not receive any instructions regarding the exercise of [his or her] tasks."
This means that, in fulfilling their tasks under Article 39, DPOs must not be instructed on:
However, the guidance makes it clear that the autonomy of DPOs does not mean that they have decision-making powers extending beyond their tasks pursuant to Article 39.
Under Article 38(6): "The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests."
DPOs who are members of the data controller’s organisation and who perform other roles that cause a conflict of interest with their DPO role, may not be easy to reconcile.
For example, if they both oversee information security and act as a DPO. You should query whether there is a conflict of interest between their risk assessments created while in their IT security role, and if these are being evaluated for adequacy and reasonableness by the same person in their DPO role.
The guidance states that depending on the activities, size and structure of the organisation, it can be good practice for controllers or processors:
Article 38(2) of the GDPR requires the organisation to support its DPO by "providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge". The guidance has said that the following should be considered:
Given the size and structure of the organisation, it may be necessary to set up a DPO team (a DPO and his/her staff). In such cases, the internal structure of the team and the tasks and responsibilities of each of its members should be clearly specified. Similarly, when the function of the DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the tasks of a DPO as a team, under the responsibility of a designated lead contact for the client.
The Guidance states that the more complex and/or sensitive the processing operations, the more resources must be given to the DPO.
Can a DPO be dismissed or penalised for performing its tasks?
Article 38(3) requires that DPOs should "not be dismissed or penalised by the controller or the processor for performing [their] tasks".
This requirement is also likely to strengthen the autonomy of DPOs and should help ensure that they act independently and enjoy sufficient protection in performing their data protection tasks. Penalties are only prohibited under the GDPR if they are imposed as a result of the DPO carrying out his or her duties as a DPO. For example, a DPO may consider that a particular processing is likely to result in a high risk and advise the controller or the processor to carry out a data protection impact assessment, but the controller or the processor may disagree with the DPO’s assessment. In such a situation, the DPO cannot be dismissed for providing this advice.
Penalties may take a variety of forms and may be direct or indirect. The guidance states that they could consist of, for example, absence or delay of promotion; prevention from career advancement; or denial of employee benefits. It is not necessary that these penalties be actually carried out – a mere threat is sufficient as long as they are used to penalise the DPO on grounds related to his/her DPO activities.
However, as a normal management rule, a DPO could still be dismissed legitimately for reasons other than for performing his or her tasks as a DPO, as would be the case for any other employee or contractor under, and subject to, applicable national contract, employment or criminal law. For example, in the case of theft or other gross misconduct.
It should also be noted that the GDPR does not specify how and when a DPO can be dismissed or replaced by another person. However, the guidance does state that the more stable a DPO’s contract is, and the more guarantees exist against unfair dismissal, the more likely it is that they will be able to act in an independent manner.
While the DPO role comes with many responsibilities, they are not personally responsible in case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions. Data protection compliance is ultimately a responsibility of the controller or the processor.
The decision will be with each organisation to find the required DPO skills in either a single person or across several people. It will be up to the organisation to locate them internally, hire them externally, or to outsource the role, and to try to manage this function under an existing officer function (such as CSO, CTO, FD or General Counsel), or to let it operate truly independently.
Under the GDPR, the requirements for a DPO are generally clear. However, what will be interesting is how each organisation chooses to implement its own DPO role and attempts to navigate as far as possible away from the GDPR’s penalty regime for non-compliance.
This article is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from any action in relation to the matters mentioned.
Dr Sam De Silva, Partner – CMS Cameron McKenna Nabarro Olswang LLP
IT Faculty Technical Committee Member, ICAEW