Appointing a designated Data Protection Officer
by Mandy Webster (comments: 0)
All public authorities and public bodies must designate a DPO and so must other organisations that monitor individuals systematically and on a large scale as a core activity or where they process special categories of personal data on a large scale. The technical terminology is important, specifically (Article 37):
“The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”
Which bodies must appoint a DPO?
The guidance follows the same arguments rehearsed in other areas about what is a public body. It states that “A public task may be carried out, and public authority may be exercised not only by public authorities or bodies but also by other natural or legal persons governed by public or private law, in sectors such as, … public transport services, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions.”
The reasoning behind inclusion of a wider list of organisations to include those that, while essentially private organisations, fulfil a public task is explained: “… data subjects may be in a very similar situation to when their data are processed by a public authority or body. In particular, data can be processed for similar purposes and individuals often have similarly little or no choice over whether and how their data will be processed and may thus require the additional protection that the designation of a DPO can bring.” So, as a matter of law such organisations need to designate a DPO. The guidance goes on to recommend as a matter of good practice that the designated DPO’s activity should also cover all processing operations carried out, including those that are not related to the performance of a public task or exercise of official duty
Private bodies involved in monitoring individuals regularly, systematically and on a large scale
The guidance interprets “regular” as:
- “Ongoing or occurring at particular intervals for a particular period
- Recurring or repeated at fixed times
- Constantly or periodically taking place”
And ‘systematic’ as meaning one or more of the following:
- Occurring according to a system
- Pre-arranged, organised or methodical
- Taking place as part of a general plan for data collection
- Carried out as part of a strategy
Taken together it is suggested that this means processing in the regular course of business excluding only processing that is ad hoc in nature.
The guidance gives examples of large-scale processing:
- processing of patient data in the regular course of business by a hospital
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via
- travel cards)
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
- processing of customer data in the regular course of business by an insurance company or a bank
- processing of personal data for behavioural advertising by a search engine
- processing of data (content, traffic, location) by telephone or internet service providers
Contrasted with examples that do not constitute large-scale processing:
- processing of patient data by an individual physician
- processing of personal data relating to criminal convictions and offences by an individual lawyer
Here the conclusion is that larger organisations are likely to be processing data on a large scale. The guidance seems to be based on the size of the organisation.
Voluntarily designating a DPO
Other controllers and processors may find it helpful to designate a DPO on a voluntary basis. But care is needed here as designating a DPO will automatically bring in additional legal requirements under Articles 37-39. (Articles 37-39 cover publicising the DPO contact details, resources for the DPO, avoidance of conflict of interest, involvement in decisions and discussions which raise data protection issues and tasks). So, where there is no obligation under GDPR to designate a DPO but the organisation chooses to source data protection compliance advice internally or externally it is recommended that it makes it very clear whether or not it intends those Articles to apply and avoid confusion regarding the title, status, position and tasks if it is not intended to bring Articles 37-39 to bear.
The very watchword of the GDPR is accountability. The guidance stress that the DPO is not held personally accountable for the compliance of a data controller or processor. The responsibility remains with the organisation. It is good to have that specifically stated.
The guidance recommends that organisations carry out an analysis to determine whether or not the designation of a DPO is mandatory or whether one should be appointed voluntarily. The analysis should be documented so that the organisation can demonstrate that it has considered all relevant circumstances.
Groups of companies and group DPOs
Article 37(2) allows a group of undertakings to designate a single DPO taking account of their organisational structure and size and provided that he or she is ‘easily accessible from each establishment’.
The ability of the DPO to perform the set tasks for the different organisations is key, including the resources and particularly communication mechanisms. The idea of accessibility refers to the tasks of the DPO as a contact point with respect to
- data subjects,
- the supervisory authority
- internally within the organisation.
So, the DPO’s contact details must be available to all these parties and in the “language or languages used by the supervisory authorities and the data subjects concerned”.
Expertise and skills of the DPO
Article 37(5) provides that the DPO ‘shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks set out in the GDPR. The recitals explain that the necessary level of expert knowledge depends on the data processing operations carried out and the protection required for the personal data being processed. So, this is a risk based test, the expertise required depends on the complexity of processing and the risk of harm to data subjects.
In particular, there is a higher risk where the organisation systematically transfers personal data outside the European Union or whether such transfers are occasional. The DPO should thus be chosen carefully, with due regard to the data protection issues that arise within the organisation.
Although the GDPR does not specify the professional qualities required of a DPO, the Article 29 Working Party opinion is that DPOs should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR. Knowledge of the business sector and of the organisation of the controller is useful. In the case of a public authority or body, the DPO should also have a sound knowledge of the administrative rules and procedures of the organisation.
Ability to fulfil its tasks
This refers to both expertise, skills, professional and personal qualities and to the position of the DPO within the organisation. Personal qualities should include for instance integrity and high professional ethics.
My opinion is that any compliance role carries an inherent conflict of interest within the organisation. Usually the specialist in a compliance area is relied on heavily by the business to draft wordings, policies and procedures and conduct training. Providing a high level of this kind of “hands on” support gives rise to a conflict when trying to audit the same work. Managing that duality is what will be most difficult for the chosen DPO.
Article 38(6) allows DPOs to ‘fulfil other tasks and duties’ but it also states that the organisation should ensure that such tasks and duties do not result in a conflict of interests. WP29 states that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. This is difficult because the interpretation of “controller” is the party that makes the decisions about processing personal data, although in fact we all understand that decisions are taken by managers on behalf of the controller organisation. My interpretation is that some roles are precluded from the role of DPO, such as the HR Manager, the Finance Manager and business managers. WP29 says: “As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources.” This tends to push the DPO role onto more junior managers or professional legal or compliance personnel. Take note of this if your organisation is not required to have a designated DPO but it adopts one for best practice reasons.
Outsourcing the DPO role
It is possible to outsource the DPO role and I have given thought to this. Several points arise in this context:
- The Article 29 Working Party says that all members of the outsource service provider organisation need to comply with the rules around skills, expertise, professional qualities etc
- The Working Party can also see benefits from having a team working on the compliance role bringing different and complementary skill sets to bear.
- My thoughts are
- that the initial set up of processes compliant with GDPR will require significant input but on an ongoing basis the support will be much less. This would suit an outsourced arrangement but “book early” because everyone will be trying to source expertise in the GDPR at the same time.
- The time that would need to be spent by an outsider to ensure that an organisation is complying with the GDPR would be significant so the process would be expensive.
- A mix of external support to check on the work of an internal DPO would give the independence to overcome problems with conflict of interest and should provide the advantages of using more expensive external resource only when absolutely required.
- Outsourcing does ensure a level of continuity. Persons suitably qualified to undertake the DPO role will be in short supply and may be encouraged to job hop, leaving organisations without appropriate support.
Position of the DPO within the organisation
The DPO should be involved in all issues relating to the protection of personal data. Specifically (Article 38) the controller and the processor shall ensure that the DPO be ‘involved, properly and in a timely manner, in all issues which relate to the protection of personal data’.
WP29 says: “It is crucial that the DPO is involved from the earliest stage possible in all issues relating to data protection. In relation to data protection impact assessments, the GDPR explicitly provides for the early involvement of the DPO and specifies that the controller shall seek the advice of the DPO when carrying out such impact assessments.32 Ensuring that the DPO is informed and consulted at the outset will facilitate compliance with the GDPR, ensure a privacy by design approach and should therefore be standard procedure within the organisation’s governance. In addition, it is important that the DPO be seen as a discussion partner within the organisation and that he or she is part of the relevant working groups dealing with data processing activities within the organisation.
Consequently, the organisation should ensure, for example, that:
- The DPO is invited to participate regularly in meetings of senior and middle management.
- His or her presence is recommended where decisions with data protection implications are taken. All relevant information must be passed on to the DPO in a timely manner in order to allow him or her to provide adequate advice.
- The opinion of the DPO must always be given due weight. In case of disagreement, the WP29 recommends, as good practice, to document the reasons for not following the DPO’s advice.
- The DPO must be promptly consulted once a data breach or another incident has occurred.”
All I can add to this is that evidence is everything under GDPR, make sure that the DPO’s involvement is documented.
DPO to have all necessary resources
The DPO should have the resources necessary to carry out their tasks, access to personal data and processing operations, and to maintain their expert knowledge. Support of the DPO’s function by senior management is critical, probably the most important factor if the DPO is going to be able to carry out their duties (my view). Obviously the DPO needs financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate. Also access to other services, such as Human Resources, legal, IT, security, etc.
WP29 says that the DPO will require continuous training to keep up to date with regard to developments within data protection. The aim should be to constantly increase the level of expertise of DPOs and they should be encouraged to participate in training courses on data protection and other forms of professional development. Some organisations may require a team of DPOs depending on the size and structure of the organisation.
Instructions and ‘acting in an independent manner’
GDPR sets out some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation stating that “whether or not they are an employee of the controller, [they] should be in a position to perform their duties and tasks in an independent manner”. This is a standard compliance requirement, familiar from other sectors. However note that the controller or processor remains responsible for compliance with data protection law and must be able to demonstrate compliance. It is not the fault of the DPO.
Disagreement between the controller or processor and the DPO should be documented. In discussion with clients I always refer to this as commercial risk. It is vital that the business understands that compliance professionals must advise on the law as it is and cannot change it to suit circumstances. The business may, of course, take a commercial risk to ignore professional advice. It does not change the advice.
Dismissal or penalty for performing DPO tasks – security of tenure for the DPO
The DPO should ‘not be dismissed or penalised by the controller or the processor for performing [their] tasks’. (Article 38(3)). The objective of this clause is to strengthen the autonomy of the DPO and encourage them to act independently with some protection in performing their data protection tasks.
Quoting from the WP29 Opinion “Penalties are only prohibited under the GDPR if they are imposed as a result of the DPO carrying out his or her duties as a DPO. For example, a DPO may consider that a particular processing is likely to result in a high risk and advise the controller or the processor to carry out a data protection impact assessment but the controller or the processor does not agree with the DPO’s assessment. In such a situation, the DPO cannot be dismissed for providing this advice. Penalties may take a variety of forms and may be direct or indirect. They could consist, for example, of absence or delay of promotion; prevention from career advancement; denial from benefits that other employees receive. It is not necessary that these penalties be actually carried out, a mere threat is sufficient as long as they are used to penalise the DPO on grounds related to his/her DPO activities.
As a normal management rule and as it would be the case for any other employee or contractor under, and subject to, applicable national contract or labour and criminal law, a DPO could still be dismissed legitimately for reasons other than for performing his or her tasks as a DPO (for instance, in case of theft, physical, psychological or sexual harassment or similar gross misconduct).
In this context it should be noted that the GDPR does not specify how and when a DPO can be dismissed or replaced by another person. However, the more stable a DPO’s contract is, and the more guarantees exist against unfair dismissal, the more likely they will be able to act in an independent manner.”