The GDPR takes a role that already exists in some organisations, that of the data protection officer (DPO), and gives it statutory importance.
Within Chapter IV of the GDPR, Articles 37-39, lay out the requirements for appointing a DPO, as well as their specification, role, duties and relationships with other entities (such as data subjects, controllers and processors, etc.).
Whether or not your organisation needs to appoint a DPO comes down to three basic conditions, according to the Regulation.
The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.23
The EU’s Working Party 29 (‘WP29’) has provided guidance on key definitions within these requirements:
The GDPR makes several references to the “core activities of the controller or the processor”24. Core activities are the key operations necessary to achieve the controller’s or processor’s goals. However, core activities also include processing that is an inextricable part of the controller’s or processor’s activity. For example, the core activity of a hospital is to provide healthcare; it could not do this without processing health data, such as patient health records. Processing this type of data is therefore a core activity and a DPO must be appointed.
Activities that can be regarded as support functions to these core activities, such as payroll or IT support, although necessary and/or essential, are considered ancillary functions rather than core activities25.
The GDPR requires that a DPO be appointed when processing of personal data is carried out on a large scale26, but does not define what constitutes large-scale data processing The guidance is this: “large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk” would be included. On the other hand, the recital specifically provides that “the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer”27.
At the time of writing, it is not possible to give more precise guidance for “large scale”, either with regard to the amount of data processed or the number of individuals concerned. The following factors should be considered when determining whether the processing is carried out on a large scale:
- The number of data subjects concerned – either as a specific number or as a proportion of the relevant population.
- The volume of data and/or the range of different data items being processed.
- The duration, or permanence, of the data processing activity.
- The geographical extent of the processing activity.
Examples of large-scale data processing would include:
- processing of patient data in the regular course of business by a hospital;
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards);
- processing of real-time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services;
- processing of customer data in the regular course of business by an insurance company or a bank;
- processing of personal data for behavioural advertising by a search engine;
- processing of data (content, traffic, location) by telephone or Internet service providers.
Examples that do not constitute large-scale processing include:
- processing of patient data by an individual physician;
- processing of personal data relating to criminal convictions and offences by an individual lawyer28.
Regular and systematic monitoring is also not defined in the GDPR. The concept of “monitor[ing] the behaviour of data subjects” is discussed, however, and includes all forms of tracking and profiling on the Internet, including for the purposes of behavioural advertising29.
The concept of monitoring is not restricted to the online environment and online tracking is only an example of monitoring the behaviours of data subjects30.
‘Regular’ should be taken as meaning one or more of the following:
- Ongoing or occurring at particular intervals for a particular period
- Recurring or repeated at fixed times
- Constantly or periodically taking place
‘Systematic’ means one or more of the following:
- Occurring according to a system
- Prearranged, organised or methodical
- Taking place as part of a general plan for data collection
- Carried out as part of a strategy
Examples of regular and systematic monitoring:
- Operating a telecommunications network
- Providing telecommunications services
- Email retargeting
- Profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering)
- Location tracking, such as by mobile apps
- Loyalty programmes
- Behavioural advertising
- Monitoring of wellness, fitness and health data via wearable devices
- Closed circuit television
- Connected devices, e.g. smart meters, smart cars, home automation, etc.31
Voluntary designation of a Data Protection Officer
Every organisation has to make a rational assessment, taking into consideration such factors as the size, complexity and diversity of its business operations in conjunction with the acceptable level of risk to their business, and risks to the rights and freedoms of data subjects, whether to appoint a DPO. In most cases, most organisations would be well-advised to make such an appointment; the risks are significant and the compliance complexities are not insubstantial.
When an organisation designates a DPO on a voluntary basis, the same requirements under the GDPR will apply to his or her designation, position and tasks as if the designation had been mandatory.
Unless it is obvious that an organisation is not required to designate a DPO, Article 29 Data Protection Working Party recommends that controllers and processors document the internal analysis carried out to determine whether or not a DPO is to be appointed, in order to be able to demonstrate that the relevant factors were all properly taken into account.
It should be noted that you do not need a dedicated DPO in-house. It’s entirely reasonable to share a DPO with other organisations, perhaps through a third-party service provider such as a specialist consulting or legal firm.
Undertakings that share a DPO
The GDPR allows a group of undertakings to designate a single, shared DPO, provided that the DPO is “easily accessible from each establishment”32.
The notion of accessibility refers to the DPO’s role as a contact point with respect to data subjects and supervisory authorities, but also internally within the organisation, considering that one of the tasks of the DPO is “to inform and advise the controller and the processor and the employees who carry out processing of their obligations pursuant to this Regulation”33.
In order to make sure that the DPO (whether internal or external) is accessible, it is important to make sure that their contact details are available in accordance with the requirements of the GDPR34.
The DPO must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This also means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned.
A single DPO may be designated for several public authorities or bodies, taking account of their organisational structure and size35. The same considerations with regard to resources and communication apply.
Given that the DPO is responsible for a variety of tasks, the controller must make sure that a single DPO can perform these efficiently despite being responsible for several public authorities and/or bodies.
The personal availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential to making sure that data subjects are able to contact the DPO.
The DPO is bound by secrecy or confidentiality concerning the performance of their tasks, in accordance with Union or Member State law. However, the obligation of secrecy/confidentiality does not prohibit the DPO from contacting and seeking advice from the supervisory authority36.
DPO on a service contract
The function of the DPO can also be exercised on the basis of a service contract with a third-party individual or organisation. In this latter case, it is essential that each member of the organisation exercising the functions of a DPO (e.g. a DPO-as-a-Service offering) fulfils all relevant requirements of the GDPR (e.g. it is essential that no one has a conflict of interests)37.
It is equally important that each such staff member be protected by the provisions of the GDPR (e.g. no unfair termination of the service contract for activities as DPO, but also no unfair dismissal of any individual member of the organisation carrying out the DPO tasks). At the same time, individual skills and strengths can be combined so that several individuals working in a team may more efficiently serve their clients.
For the sake of legal clarity and good organisation, there should be a clear allocation of tasks within the DPO team, with a single individual assigned as a lead contact and person ‘in charge’ for each client. It would generally also be useful to specify these points in the service contract.
Publication of DPO contact details
The GDPR requires the controller or the processor:
- to publish the contact details of the DPO, and
- to communicate the contact details to the relevant supervisory authorities38.
These requirements make sure that data subjects (both inside and outside of the organisation) and the supervisory authorities can directly and confidentially contact the DPO without having to contact another part of the organisation.
The contact details of the DPO should include information allowing data subjects and the supervisory authorities to reach the DPO in an easy way (a postal address, a dedicated telephone number and a dedicated email address). When appropriate, for purposes of communications with the public, other means of communications could also be provided – for example, a dedicated hotline, or a dedicated contact form addressed to the DPO on the organisation’s website.
The GDPR does not require the published contact details to include the name of the DPO. Although it may be good practice to do this, it is for the controller and the DPO to decide whether this is necessary or helpful in the particular circumstances.
As a matter of good practice, an organisation should inform the supervisory authority and employees of the name and contact details of the DPO. For example, the name and contact details of the DPO could be published internally on the organisation’s intranet, internal telephone directory and on organisational charts.
Position of the DPO
The GDPR says that the controller and the processor must make sure that the DPO is “involved, properly and in a timely manner, in all issues which relate to the protection of personal data”39.
It is therefore crucial that the DPO is involved from the earliest stage possible in the development of the privacy compliance framework and in all issues relating to data protection. In relation to data protection impact assessments, the GDPR explicitly provides for the early involvement of the DPO and says that the controller must seek the advice of the DPO when carrying out such impact assessments40. Making sure that the DPO is informed and consulted at the outset will facilitate compliance with the GDPR and ensure a data protection by design approach, and should, therefore, be standard procedure within the organisation’s governance. In addition, it is important that the DPO is seen as someone within the organisation with critical input on all data processing activities and that they are therefore part of any of the organisation’s working groups that deal with data processing activities.
The organisation should make sure, for example, that:
- The DPO is invited to participate regularly in meetings of senior and middle management;
- They are present where decisions with data protection implications are taken;
- All relevant information is passed to the DPO in a timely manner in order to allow him or her to provide adequate advice;
- The opinion of the DPO is always given due consideration and, where conflict and disagreement arise, that the parties document the reasons for not following the DPO’s advice;
- The DPO is promptly consulted when a data breach occurs.
Where appropriate, the controller or processor should develop formal guidelines that describe clearly when the DPO must be consulted.
The GDPR places a legal obligation on organisations to support the DPO by “providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge”41.
- Active support of the DPO’s function by the board of directors.
- Sufficient time for DPOs to fulfil their duties. This is particularly important where the DPO is appointed on a part-time basis or where the employee carries out data protection in addition to other duties. Otherwise, conflicting priorities could result in the DPO’s duties being neglected. Having sufficient time to devote to DPO tasks is paramount. It is good practice to establish a percentage of time for the DPO function if it is not a full-time role. It is also good practice to determine the time needed to carry out the function, the appropriate level of priority for DPO duties, and for the DPO (or the organisation) to draw up and follow a formal work plan.
- Adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff, where appropriate.
- Official communication of the designation of the DPO to all staff to make sure that their existence and function are known within the organisation.
- Necessary access to other services, such as human resources, legal, IT, security, etc., so that DPOs can receive essential support, input and information from those other services.
- Continuous training. DPOs should have the opportunity to stay up to date regarding developments within data protection. The aim should be to constantly increase the DPO’s level of expertise, and they should be encouraged to participate in training courses on data protection and other forms of professional development, such as participation in privacy fora, workshops, etc.
- Given the size and structure of the organisation, it may be necessary to set up a DPO team (a DPO and his/her staff). In such cases, the internal structure of the team and the tasks and responsibilities of each of its members should be clearly documented.
In general, the more complex and/or sensitive the processing operations, the more resources must be given to the DPO. The data protection function must be effective and sufficiently resourced in relation to the data processing being carried out.
Acting in an independent manner
The GDPR sets out clear protective guarantees to help make sure that DPOs are able to perform their tasks with a sufficient degree of autonomy. In particular, controllers/processors are required to make sure that the DPO “does not receive any instructions regarding the exercise of [his or her] tasks”42. Furthermore, it says that DPOs, “whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner”43.
This means that, in fulfilling their tasks under the GDPR, DPOs must not be instructed how to deal with a matter. For example, they must not be told what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority. Furthermore, they must not be instructed to take a certain view of an issue related to data protection law, such as a particular interpretation of the law. The autonomy of DPOs does not, however, mean that they have decision-making powers extending beyond their tasks pursuant to the GDPR44.
The controller or processor remains responsible for compliance with data protection law and must be able to demonstrate compliance with the principle of accountability. If the controller or processor makes decisions that are incompatible with the GDPR and the DPO’s advice, the DPO should be given the opportunity to make his or her dissenting opinion clear to those making the decisions.
Protected role of the DPO
The GDPR provides protection to the role of the DPO where it requires that DPOs should “not be dismissed or penalised by the controller or the processor for performing [their] tasks”45.
For example, a DPO may consider that a particular processing presents a high risk to the rights and freedoms of data subjects and advise the controller or the processor to carry out a data protection impact assessment but the controller or the processor may not agree with the DPO’s assessment. In such a situation, the DPO cannot be dismissed or otherwise penalised for providing this advice.
All of the ways in which organisations might attempt to penalise an individual whose advice they dislike would be illegal. These illegal penalties can take a variety of forms and may be direct or indirect. They could consist, for example, of absence or delay of promotion; prevention from career advancement; denial of benefits that other employees receive. It is not necessary that these penalties actually be carried out, a mere threat is sufficient if they are used to penalise the DPO on grounds related to his/her DPO activities.
As a normal management rule – and as would be the case for any other employee or contractor – a DPO could still be dismissed legitimately for reasons other than for performing his or her tasks as a DPO (for instance, in case of theft, physical, psychological or sexual harassment or similar gross misconduct).
In this context, it should be noted that the GDPR does not specify how and when a DPO can be dismissed or replaced by another person. However, the more stable a DPO’s contract is, and the more guarantees exist against unfair dismissal, the more likely they will be able to act in an independent manner.
Conflicts of interest
The GDPR has a provision that allows DPOs to “fulfil other tasks and duties”. It requires, however, that the organisation makes sure that “any such tasks and duties do not result in a conflict of interests”46.
The absence of conflict of interests is closely linked to the requirement to act in an independent manner. Although DPOs are allowed to have other functions, they can only be entrusted with other tasks and duties provided that these do not give rise to conflicts of interests. In particular, this means that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data, or be responsible for service delivery. Due to the specific structure in each organisation, this has to be considered on a case-by-case basis. In broad terms, however, this will tend to mean that it is not possible for an IT manager, CIO or CISO also to be the DPO.
Depending on the activities, size and structure of the organisation, it can be good practice for controllers or processors:
- to identify the positions that would be incompatible with the function of the DPO;
- to draw up internal rules to this effect in order to avoid conflicts of interest;
- to include a more general explanation about conflicts of interests;
- to declare that the DPO has no conflicts of interest with regard to its function as a DPO as a way of raising awareness of this requirement;
- to include safeguards in the organisation’s rules, and to make sure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interest. In this context, it should also be borne in mind that conflicts of interest may take various forms depending on whether the DPO is recruited internally or externally.
The Regulation also allows individual Member States to pass additional laws regarding DPOs47. For example, an individual Member State may make DPOs a requirement for more organisations under its jurisdiction and, as such, it is possible that many more organisations may have to appoint DPOs in the future48.
While you are not required to appoint a DPO if you don’t meet these conditions, there may (as indicated earlier) be good business reasons for doing so; perhaps to streamline the compliance project, to be on hand to provide expert advice or guidance, or to be at the ready in case conditions change and you are required to have one. In the same way that organisations of all sizes now usually give one or more individuals specific responsibilities around HR and Health and Safety, so it is likely that Data Protection responsibilities will become a basic operational competence required in all cases.
Specification of the DPO
The Regulation describes the DPO in Article 37, stating that “the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”49. This description is quite broad and it is therefore open to organisations to determine how they specifically meet this requirement.
The ‘ability to fulfil the tasks’ is at least as important as is a knowledge of the law. After all, legal advice can be obtained from professional advisers; the key requirement on a DPO is the fulfilment of the tasks of the DPO, which necessitates a significant level of practical knowledge and experience about the implementation and operation of an effective privacy compliance framework. In terms of appropriate qualifications and experience, here is a brief (and non-exhaustive) list of some of the attributes and knowledge a DPO may require, depending on the significance of the specific role:
- A law degree, ideally with specialisation in data privacy law, and specifically with the GDPR.
- Professional qualifications/certifications relating to data protection and/or information security, and specifically to the GDPR.
- Professional qualifications/certifications relevant to the industry or sector in which they are working.
- Experience implementing data protection measures and/or frameworks.
- Experience managing the key systems and processes involved in securing personal data.
- Experience with risk management standards and frameworks.
- Experience and knowledge of information security management and key cyber security assurance certifications.
Earlier in the Regulation is some additional information: “a person with expert knowledge of data protection laws and practices should assist the controller or processor to monitor internal compliance with this Regulation. […] The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor”50. While it is clear that a legal qualification is not a requirement for the role of DPO, an understanding of data privacy law is essential. This understanding could be gained through experience. The DPO should ensure that they are au fait not just with the relevant laws (including the GDPR), but also with the nature of the processing itself and how it relates to the organisation’s business operations.
Typical qualifications for DPOs include the ISO/IEC 17024-accredited EU GDPR Practitioner qualification from IBITGQ (www.ibitgq.org), the International Board for IT Governance Qualifications. For more information, see www.ibitgq.org/candidates/certificates.aspx.
Duties of the DPO
The DPO is a protected and independent role, as the Regulation itself states:
The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.51
In conjunction with the allowance that the DPO role can be fulfilled on the basis of a service contract52, it is clear that the DPO is to be permitted a high degree of autonomy to pursue their duties, with the full support of the controller and/or processor, and with recourse to the highest level of management.
The DPO’s primary tasks are outlined in Article 3953. The first is to:
inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions.
That is, the DPO is responsible for ensuring that the controller, processor and employees who process personal data understand their obligations, and for providing advice on meeting those obligations. While this obligation explicitly applies to the GDPR, it would make sense that the DPO should also be responsible for providing advice for any other data protection laws that are applicable to the organisation. The DPO should advise controllers and processers to implement staff awareness and training programmes to help meet this requirement.
Some of the more important information that the DPO should be able to advise upon relates to Articles 12, 13 and 14, which cover the controller’s/processor’s duties regarding transparency and how personal data is collected from data subjects. These can be especially complex, and may require the organisation to think carefully about how those processes should be managed to minimise the impact on other business processes.
Furthermore, the organisation will need to be aware of any additional legislation that may be passed by the relevant Member State or the Union. The Regulation states elsewhere that “Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation”54. This is reiterated when the Regulation encourages Member States to establish further “effective, proportionate and dissuasive penalties”55 where necessary. It will often fall to the DPO to ensure that controllers and processors are made aware of such additional laws and their penalties and, in many cases, this will also need to be communicated clearly to staff.
The DPO’s second task is to:
monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
The DPO should have oversight of the privacy compliance framework described in the previous chapter. The documentation produced by the framework should produce evidence of effective use to the DPO, including records, reports, schedules, and so on. Assuming the compliance framework is thorough and effective, the DPO will also be able to confirm that the organisation’s processes meet the requirements of the Regulation, from the policy down to the actual day-to-day application of documented procedures.
This relates to Article 30 of the Regulation in particular, so it will be incumbent on both the controller/processor and the DPO to ensure that the compliance framework generates adequate, suitable and accurate records. Such records will be necessary for the DPO to confirm the efficacy of the organisation’s compliance programme.
The DPO’s third task is to:
provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35.
Part 2 of this manual (Chapters 5 - 8) covers data protection impact assessments (DPIAs) in detail. The DPO has a significant role in DPIAs, so should pay close attention to this section of the manual. This is related to risk management, which the DPO should also be involved in (as noted in Clause 2 of this Article).
The DPO’s fourth and fifth tasks are:
to cooperate with the supervisory authority; and
to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
The DPO is essentially the organisation’s immediate liaison with the supervisory authority. Because organisations required to have a DPO are typically involved in processing large volumes of personal data or special categories of data, they are likely to be subjected to increased attention from the supervisory authority. The DPO, therefore, operates as a single point of contact between the organisation and the supervisory authority, minimising disruption for the organisation.
The DPO will need to pay due regard to high-risk processing, taking into account the nature, scope, context and purposes of any such processing. The appointment of a DPO is mandatory for organisations involved in high-volume data processing because the processing of large quantities of personal data comes with an inherent risk commensurate to the volume.
It is also worth understanding the relationship between the DPO and the data subject. Because organisations are required to publish the DPO’s details, they will often be a point of contact for data subjects asserting their rights under the Regulation. The DPO should therefore ensure that they have appropriate (and documented) processes in place to respond to data subject access requests and complaints to the controller or processor, and to operate as a mediator in any resultant discussions or responses.
This will involve some overlap with the controller’s/processor’s duties to uphold data subjects’ rights. Because of the potential complexity of the interaction between the Regulation and the organisation’s business processes, especially where “modalities [are] provided for facilitating the exercise of the data subjects’ rights under this Regulation”56, the DPO will be affected by the twin pressures of helping the organisation to comply with the Regulation, and supporting and assuring the data subjects’ rights.
The DPO and the organisation
As noted previously, the DPO is a largely independent role, even if it stands in addition to an individual’s other duties within the organisation. The role is about delivering compliance, and you can’t have compliance under the direction of the delivery team because of the conflict of interest. The DPO should, therefore, have the primary objective of ensuring compliance with the law, while the delivery team’s main objective will be to maximise productivity, which may sometimes be counter to the requirements of legal compliance.
To ensure autonomy and oversight, the DPO should sit within a risk management, compliance or governance function. Such roles are generally independent of other business functions and usually have direct access to senior levels of management and/or the board. Ensuring that the DPO has this access is crucial to ensuring that compliance with the Regulation is discussed and directed at that level.
On the other hand, the DPO must also be allowed to conduct their tasks with complete confidentiality and secrecy, when required, which brings a layer of separation between the DPO and the organisation to achieve compliance.
An effective DPO will ensure that data protection, privacy and the organisation’s legal obligations are on the board’s agenda. While boards have traditionally been disinterested in data protection and cyber security, the size of the potential fines and ramifications of data breaches now place a fiduciary duty on directors to ensure these risks are properly identified, assessed and managed.
As well as providing guidance on compliance with the Regulation, the DPO should also be capable of providing guidance on appropriate best-practice frameworks to assure compliance. This may be in addition to such guidance from by the EU Data Protection Board57.
The DPO and the supervisory authority
Just as the DPO has a specific relationship with the organisation, it also has a specific relationship with the supervisory authority.
The DPO operates as a kind of intermediary in many instances, providing a single point of contact, and ensuring that any communications between the supervisory authority and the controller/processor are clearly understood (because the DPO must be suitably qualified, as noted earlier).
The DPO must make their contact details available to both the supervisory authority and to the public. They must also respond directly to requests from the supervisory authority addressed to them, and ensure that requests from the supervisory authority addressed to controllers are acknowledged.
The DPO must also cooperate fully with the supervisory authority if it requests the DPO to, for example: supplement information that was provided in a notification for prior checking with respect to a complaint concerning the DPO’s organisation; monitor progress on the implementation of recommendations from the supervisory authority; or gather information on behalf of the supervisory authority on an issue undergoing examination.
Not only must the DPO respond to all requests within one month, they must also ensure that requests addressed to controllers are addressed within the same timeframe. If this is not possible, the DPO must inform the supervisory authority when a reply will be sent.
Of particular importance will be the DPO’s mediation between the supervisory authority and the controller/processor in the event of a data breach. By operating as a go-between, the requirements of Article 33 can be fulfilled while allowing the controller/processor to focus on responding to and recovering from the incident.
Data protection impact assessments and risk management
The data protection impact assessment (DPIA) is a key tool for the DPO.
DPIAs are a tool for risk management, but are only part of the whole process. The DPO should ensure they understand risk management as a process and how it fits into the compliance framework. This is especially important if the DPO is an external contractor, as they may not otherwise appreciate the organisation’s risk management stance and processes, or how data protection fits into the wider whole.
The DPO should also ensure that they understand the organisation’s risk appetite and how this intersects with the supervisory authority’s expectations. An organisation may, for instance, be willing to accept certain risks that the supervisory authority would expect to be rejected. Should a data breach occur as a result of taking such a risk, the supervisory authority is unlikely to respond kindly.
Many of these issues should be resolved during the consultation phase that may follow a DPIA, as described in Article 36 of the Regulation. Because this procedure relates to potential breaches of the Regulation (and, possibly, other relevant Member State legislation), the DPO will need to be fully prepared to advise the controller or processor, and to respond to any queries or recommendations from the supervisory authority.
In house or contract
Larger organisations are likely to employ one or more DPOs to create strength in and to provide adequate resource in the data protection team to cover for holidays, illness and succession planning. For smaller organisations, the DPO may in reality not be a full-time activity. As we’ve seen, the organisation has two options for fulfilling the role:
- assign it to an existing member of staff, or
- buy it in from a third party.
Assigning the role to a current member of staff has the advantage that the costs will almost certainly be lower than if a separate individual is employed, and the DPO will be more readily available due to being onsite. However, you must ensure that the projected privacy workload is appropriate to a part-time role and, even more importantly, that it does not occasion any conflicts of interest. It should also be noted that the requirements of the DPO role may in any case make it difficult to fill, and that writing the DPO’s duties into another job description may make your DPO more difficult to replace.
Despite being the seemingly more expensive option, contracting the role out to a third party may prove to be the ideal solution. A contracted DPO (or a DPO-as-a-Service) has more incentive to remain up-to-date with current practices and technologies, and to maintain any relevant professional certifications. Furthermore, as a contracted DPO could fulfil the same role for a number of organisations within the same industry or sector, they will have greater insight into the specific data protection issues affecting that industry/sector. Contractors usually command daily rates of pay, which means they can be called upon as and when they are needed. If your compliance frameworks are followed, you may find you need your DPO’s services less than you anticipated, making a contracted DPO a more cost-effective solution than it may at first appear.
23 GDPR, Article 37, Clause 1.
24 Article 37 (1) (b) and (c), and Recital 97.
25 The definition of ‘core activity’ may vary between Member States.
26 Article 37 (1) (b) and (c).
27 Recital 91.
28 The definition of ‘large scale’ may vary between Member States.
29 Recital 24.
30 Recital 24, there is also a difference between the wording ‘monitoring their behaviour’ (Article 3(2)(b)) and ‘regular and systematic monitoring of data subjects’ (Article 37(1)(b)), which could be seen as constituting a different notion.
31 The definition of ‘regular and systematic monitoring’ may vary between Member States.
32 Article 37 (2).
33 Article 39 (1) (a).
34 Article 37 (7).
35 Article 37 (3).
36 Article 38 (5).
37 Section 4 – Data protection officer.
38 Article 37 (7).
39 Article 38.
40 Article 35 (2).
41 Article 38 (2).
42 Article 38 (3).
43 Recital 97.
44 Article 39.
45 Article 38 (3).
46 Article 38 (6).
47 GDPR, Article 37, Clause 4.
48 Germany, for instance, requires organisations to appoint a DPO on the basis of the number of people involved in non-automated processing.
49 GDPR, Article 37, Clause 5.
50 GDPR, Recital 97.
51 GDPR, Article 38, Clause 3.
52 GDPR, Article 37, Clause 6.
53 GDPR, Article 39, Clause 1.
54 GDRP, Recital 149.
55 GDPR, Recital 152.
56 GDPR, Recital 59.
57 GDPR, Recital 77.