The DPO, a three-letter acronym that strikes fear in the heart of many companies and people alike. But does every company need a Data Protection Officer? Let alone know what qualities and skills that individual should possess?
Initially it is vital to understand whether your company would actually be required to appoint a DPO according to the GDPR (General Data Protection Regulation). Article 37 within the most up to date version of the GDPR states that a company who controls or processes personal data must designate a DPO in three situations. These three situations are listed below:
- Where the processing is carried out by a public body.
- Where the core activities require regular and systematic monitoring of data subjects on a large scale.
- Where core activities of controller or processor involve large-scale processing of sensitive personal.
Definitions of ‘core’ and ‘large scale’
So, what are the definitions of ‘large scale’ and ‘core’? Well unfortunately this is still somewhat of a grey area within the GDPR. Although it does provide guidance, it is not fully understood what the definitions will ultimately be.
For ‘large scale’ the GDPR suggests that it means “processing a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects.” However, it does not include the processing of personal data about patients or clients by an individual physician or lawyer. This is still a grey area….
For ‘core’ the recitals of the GDPR clarify that the core activities of an entity are a company’s primary activities and do not relate to the processing of personal data as an ancillary activity. Therefore, it would be fair to assume that for example, the processing by controllers and processers of their own employee data does not qualify as a core activity.
When deciding whether you must appoint a DPO it is vital to assess how ‘core’ and ‘large scale’ could be viewed within your organisation in relation to its main business activity with common sense prevailing and if in any doubt whatsoever if would be worth seeking advice from your legal team.
It is also of great importance to remember that any organisation can appoint a DPO but regardless of whether the GDPR obliges you to appoint a DPO or not, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.
If decided that the appointment of a DPO is necessary, it is now the time to start thinking about the practical requirements for the organisation, the impact on the employer in relation to the appointment of a DPO and the employer’s responsibilities to the DPO as well as what the tasks and responsibilities will be of the DPO and the skill set that person will require.
Designation of a Data Protection Officer
From an organisational point of view, Article 37 (Designation of a Data Protection Officer) advises that:
- Where controller or processor is a public authority a single DPO may be appointed for several such authorities depending on structure and size.
- DPO designated on the basis of professional qualities and knowledge of data protection law, but not necessarily legally qualified.
- Controller or processor must publish DPO contact details and notify the relevant supervisory authority.
Position of the Data Protection Officer
Further to this, Article 38 (Position of the Data Protection Officer) goes into more detail reference the employer’s responsibilities toward the DPO:
- Controller and processor must ensure proper and timely involvement of the DPO.
- Controller and processor must provide support through necessary resources whilst providing data subjects clear access to the DPO.
- DPO has a large degree of independence and should have direct access to highest management.
- In addition, there must be no conflict of interest arising from additional tasks or duties: “This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.” (Working Party 29 Guidance).
Tasks of the Data Protection Officer
Once appointed, what are the tasks of the Data Protection Officer? Article 39 (Tasks of the Data Protection Officer) covers the minimum requirements:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
It is therefore vital that the right person (either from within the organisation or externally) is appointed and with all of this in mind what skills should a DPO have? When looking to appoint one what should you be looking for? Well, the GDPR does not specify the precise credentials a DPO is expected to have but it does require that they should have professional experience and knowledge of data protection law and that this should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.
Key skills to consider
Below is a non-definitive list of some key skills to consider when appointing a DPO.
- A DPO must be able to articulate ‘privacy by design and by default’ to delivery functions within the organisation.
- They should have a good understanding of risk management and risk assessments and be able to carry out DPIA’s (Data Protection Impact Assessments).
- Should be able to coordinate and advise on data breaches and notification and make cyber security incident response processes work.
- Should be able to carry out and interpret internal audits against compliance requirements.
- Have familiarity with codes of conduct for industry sector and a good understanding of compliance standards and data marks.
- Lead co-operation with supervisory authority and probably most importantly have excellent communication skills.
In conclusion, it should be remembered that the DPO is a strategic role that develops, coordinates and manages an organisation’s privacy strategy, ensures that operations and business practices adhere to applicable privacy laws and ensures privacy considerations and processes are incorporated into business practices ensuring that not only is compliancy achieved but also maintained.
If you’re ready to get your organisation up to speed on GDPR, please visit this page to learn more.