Who is Data Protection Officer?
Before we delve into details, let’s determine who the Data Protection Officer (DPO) actually is. The DPO is defined by the tasks and role he plays in the organization for which he was appointed. We can generally say that DPO’s main task is to support data controller or the processor by ensuring that any data processing operation in the organization takes place in compliance with the applicable data protection laws. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), pursuant to Article 38 (1), imposes on both data controller and processor, the obligation to properly and promptly involve the DPO in all matters relating to processing and personal data protection. We will go on to the detailed tasks of the DPO later in this article.
However, what should be also emphasized at the very beginning is the unique position of the DPO within a given organization. Data Protection Offer is a person who reports directly to the top management and gives them a new business perspective, supervising not only current processes but also coordinating the implementation of new solutions including data processing. It follows from this, inter alia, that the DPO:
- has no conflict of obligations or interests (he should not play other roles in the organization that could hinder the implementation of DPO tasks)
- is not given any task orders, and he is not to be fired or punished for completing tasks,
- requires adequate support and resources to fulfill his responsibilities,
- undertakes to maintain confidentiality.
Do you have to appoint Data Protection Officer?
GDPR indicates the following cases when the appointment of a DPO is mandatory:
- when the main activity of data controller or processor consists in the large-scale processing of special categories of personal data (e.g. data revealing political opinions or data related to health processed by hospitals), as well as personal data related to criminal convictions and violations of law
- when the main activity of the controller or processor consists of processing operations which, due to their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale (for example, profiling and assessment of persons as part of risk assessment, for the purpose of granting a discount on insurance premiums)
- when the processing is carried out by a public authority or entity, with the exception of courts.
While public authorities have a general obligation to appoint a DPO, other organizations may have doubts. In any event, however, this obligation only arises in the case of large-scale processing of personal data.
Large-scale data processing
Unfortunately, GDPR does not include the definition of large-scale data processing. According to the guidelines on Data Protection Impact Assessment, in order to determine whether data is processed on a large scale, the following factors should be taken into account:
- number of data subjects (all categories – customers, contractors and their representatives, employees, associates, people within the monitoring range etc.)
- the amount of data or the scope of data processed,
- duration or durability of data processing activities
- the geographic scope of the processing activities (physical locations controlled by your organization covering the data lifecycle)
If, despite the above guidelines, you still have doubts, always choose or recommend a safe solution, which is to appoint a DPO, but remember not to hesitate to call the local data protection supervisory authority hotline – you do not have to indicate the identity of the organization you represent.
Designation of Data Protection Officer
Due to the functions to be performed by the DPO, which is to support data controller or processor to implement legal provisions, ensure that processing operations are carried out in accordance with the GDPR and that the rights of data subjects can be properly and timely fulfilled, necessarily the person in this position must have appropriate experience. Article 37 (5) GDPR assumes that the DPO shall be designated on the basis of
- professional qualities
- expert knowledge of data protection law and practices
- the ability to fulfil the tasks referred to in Article 39 GDPR
Professional qualities and expert knowledge are criteria that are quite general and difficult to meet at the same time. More detailed information on the qualities of a candidate suitable for the performance of DPO functions is provided in the Guidelines on Data Protection Officers, according to which expert knowledge should be relevant to the nature, complexity and amount of data processed within the organization,
and when assessing the professional qualities of future DPO should be taken into account. take the level of knowledge in the field of national and European personal data protection regulations and practices, in-depth knowledge of the GDPR and knowledge of data controller activity – a given business sector, applied systems and security as well as operating procedures. When it comes to assessment of the professional qualities of future DPO, one should take into account the level of knowledge in the field of national and European personal data protection regulations and practices, in-depth knowledge of the GDPR and knowledge of data controller activity – a given business sector, applied systems and safeguards as well as operating procedures.
Due to the fact that the personal data protection is a very broad discipline, a DPO candidate should have interdisciplinary knowledge, and also demonstrate skills in the field of effective knowledge sharing, communication, project management, negotiation and mediation.
DPO tasks referred to in Article 39 GDPR
The main tasks of the DPO identified in Article 39 (1) GPDR are:
-
to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to applicable data protection laws
(correct performance of the above task by the DPO influences conscious decision-making by data controllers and processors)
-
to monitor compliance with applicable data protection laws and with the internal policies of the organization, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
(in this respect the activity of DPO should not be of a one-off nature, but a continuous and long-term)
-
to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35 GDPR
(the already mentioned Guidelines on Data Protection Officers may be helpful in this regard)
-
to cooperate with the supervisory authority;
-
to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter
(should be understood as acting as an intermediary by the DPO, between the data controller or processor and supervisory authority)
Moreover, as results from Article 38(4) GDPR, the DPO acts as the contact point for data subjects with regard to all issues related to processing of their personal data and to the exercise of their rights under GDPR.
However, mind that ultimately, despite the above-mentioned tasks, the DPO has no direct causative power. An entity that actually makes decisions and is responsible for the implementation of appropriate technical and organizational measures ensuring an appropriate level of security is the data controller or the processor.
How to shape cooperation with DPO
GDPR leaves you free as to whether your DPO will be part of your staff, as your employee, or will come from outside, from a specialized company. When choosing a DPO, you should bear in mind the aforementioned criteria, and remember that the wrong choice of DPO may lead to non-compliance with the GDPR.
Internal employee as DPO
There may be number of advantages to appointing your own employee as DPO. Such a person knows exactly not only your industry, but also the processes and the detailed way in which your organization functions, including its weaknesses and gaps in existing data protection system. The constant presence of an employee in the organization may also result in more complete supervision of data protection matters.
The weaknesses of such DPO are the potential obstacles to ensure the appropriate status and required independence. There may be a conflict of interest in connection with other duties performed in the organization by an employee, lack of knowledge and methodology (an employee may require time-consuming and costly training in the field of data protection), as well as less obedience among other employees who are actually to apply GDPR provisions.
DPO from external, specialized company
An external company usually provides a specialization in data protection, a developed methodology and work patterns, however, for example, the lack of a permanent presence in the organization creates a risk that the DPO will only review the matters that will be communicated to him. However, choosing such a company may cause many difficulties.
In addition to the obvious which is checking the company’s reputation and credentials, you need to make sure its offer includes enough working time to complete all tasks, and that the company’s consultants ensure prompt availability in the event of an data protection breach. Such a company should also provide you with an efficient point of contact within your organization and demonstrate that the proposed DPO has the experience, materials and tools sufficient to conduct reliable training of your staff. Also, do not forget to verify that your future DPO has professional insurance.
When you finally manage to appoint the DPO, make sure to report this fact to the supervisory authority!