While certain specific functions may be outlined in the as yet-to-be enacted Data Protection Bill 2018, the role is clearly detailed in the text of GDPR.
Do I need a DPO?
While there may be some additional specific measures that may be stated as requiring a DPO in the Data Protection Bill when enacted, the GDPR outlines that most public sector bodies will be required to appoint a DPO where they are a controller of personal data, as will private bodies who are acting as controller of personal data where processing involves regular and systematic monitoring of individuals on a large scale or the processing of 'special categories' of personal data.
Where a body is a processor they may be obliged to appoint a DPO also.
'Organisations may also appoint a DPO on a voluntary basis
A single DPO can be appointed in respect of an undertaking. This should take account of the scale and size of the organisation and its processing operations. Where an organisation is operating in several member states, the DPO will need to have knowledge of the different data protection rules applying in each member state.
The member state legislation that will implement GDPR will introduce variances in the law, for example, the ‘digital age of consent’ for children will differ between the member states.
Organisations may also appoint a DPO on a voluntary basis and may choose to do so as a means of improving customer confidence and organisational practice. However, care should be taken, as assigning the title of DPO will lead to the organisation assuming the statutory obligations associated with a DPO under the GDPR.
What does the DPO do?
In short: communicate, advise, guide, represent, record.
The purpose of a DPO is to assist an organisation in monitoring internal compliance with the GDPR. The DPO will be a key individual in an organisation’s data governance structure and will enable compliance through the implementation of accountability principles.
The DPO will act as a mediator between an organisation and key stakeholders, such as the supervisory authorities and data subjects.
There is a mandatory list of tasks for which the DPO is responsible, outlined in article 39 of the GDPR, and these have been echoed in the Data Protection Bill. These tasks may be distilled into the following categories.
Firstly, the role is advisory to those parties that matter – the controller and processor – but this also includes any employees processing data.
There is also an educational aspect in what is referred to as ‘awareness raising’ and training of relevant staff (see article 39(a) and (b) and section 32 of the bill).
A DPO must provide advice in relation to a data impact assessment and monitor this, where appropriate, giving guidance to processors and controllers of personal data and helping them to identify, grade and avoid risks associated with data processing (GDPR article 35(2) and 77).
A DPO is required to cooperate with the Data Protection Commissioner and is to act as a contact point on behalf of controllers and processors should the need arise.
It would appear that this aspect would present a potential conflict, with the need for confidentiality between the DPO and their employing body, as outlined in article 38.
A DPO should also be consulted should a data breach occur and, once appointed, they must be accessible for all who may wish to contact them – including data subjects (articles 38(4) and 39). Controllers and processors should publish the details of a DPO role to this end (article 37).
While there is a requirement in article 30 that the data controller maintain a record of processing activities or operations, it is suggested that this be done by the DPO on their behalf in order to aid their position as the 'point person' for a controller/processor should they be required to engage with the Data Protection Commissioner and or cooperate with them (the Article 29 Working Party’s Guidelines on Data Protection Officers, p18).
Employers’ duties
An employing body must “actively support the role, including sufficient time being allocated to a DPO in the performance of their duties; they are not to receive instruction in relation to their tasks by either controller or processor, and must not be ‘dismissed or penalised’ in the performance of their tasks (article 38 GDPR).
The DPO must be adequately resourced to perform the role and be provided with additional training as required.
This does not diminish the need to appoint a suitably qualified person, but rather facilitates a DPO who may require additional training to perform specific tasks as the law evolves.
Who to appoint?
Careful consideration should be given to choosing the individual who will fulfil the role of the DPO. The GDPR is not prescriptive in relation to the necessary experience of a DPO, stating that a DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices, and the ability to fulfil the tasks referred to in article 39” (article 37).
The necessary level of expert knowledge should be designated in accordance with the tasks that are set out to be performed.
To underscore the importance of the role within the organisation, the DPO must report to the highest management level of an organisation (such as, the board of directors).
The level of expertise will vary depending on the complexity of activities in relation to data that an organisation is carrying out.
The DPO should have a deep understanding of the organisation’s activities and the industry in which it operates.
The more complex and unusual the area, the more specialist the expertise required. This would lead most organisations to appoint a person who already works within their ranks to the position of DPO as a means of capitalising on their experience of a body’s structure and practice.
DPO as in-house role
The solicitor who assumes the dual position of in-house solicitor and DPO was discussed at the Law Society’s 2017 conference for in-house solicitors in the private and public sectors (December 2017 Gazette, p26).
The decision as to whether to assume the appointment as a DPO by an in-house solicitor must be considered on its merits in every individual situation.
Consideration has to be given to the scale of an organisation, its processing activities, and the existing role and functions of in-house counsel when determining whether the independence of a DPO can be maintained.
One of the main benefits of having someone working in-house is that, especially should they have worked in an organisation for some time prior to appointment, they are likely to have a unique understanding of the workings of that organisation, leaving them in a better position in which to advise.
However, the role may become challenging, as one may be placed in the difficult position of having to self-audit one’s decision making as in-house counsel against the role of the DPO. It is likely to prove impossible to separate one’s thought-processes and decisions for each distinct role.
If in-house counsel is performing a dual role and seeks to rely on professional privilege, the non-legal aspect of the role may cause a loss of professional privilege.
In short, the role should not be undertaken if it cannot be adequately fulfilled. Although a DPO cannot be held personally liable under the GDPR, there is the risk of reputational damage if one is the DPO of a non-compliant organisation.
Some in-house practitioners may consider the role of the DPO as a specialised legal area, which they wish to focus on as a standalone role.
It is further the case that, while someone may be given the task of DPO along with other duties, article 38(6) of the GDPR outlines that the other duties cannot be incompatible with their DPO functions. A clear conflict of interest arises where a DPO also takes the role of data controller.
Examples of roles that would conflict with a DPO's duties were outlined by the Article 29 Working Party: chief executive officer, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of human resources, and head of IT.
An independent DPO
The manifestation of the role of DPO as outlined by the GDPR may also lie in a person or body separate to the organisation that they are overseeing. In this context, even with large organisations with complex structures, while it may be of benefit to have a person or persons who are working experts on data protection within, the final say on compliance with the regulation may best be taken by someone at a remove from the organisation giving a detached view.
Further, many organisations are not going to need a full-time DPO, and will simply be happy to have the role filled on a part-time basis.
The main benefit would be that independence will act as protection for both employer and DPO, shielding the latter from undue pressure to crowbar their analysis of data protection concerns into the desires of management.
The clear weakness of the independent DPO is that they may only be as useful as the information they are supplied with, should they not have a complete understanding of the organisation that they oversee.
Let the Wookie win
The GDPR does not reinvent the wheel in relation to data protection law. However, what it does is to attempt to standardise data protection law across Europe and, through the threat of large fines, seeks to have these laws taken seriously.
A DPO is envisaged as a central cog in all of this, a role that encompasses many different skill-sets and demands a high degree of independence in discharging its function.
A DPO is responsible for consultation with data subjects and educating a workforce, but must be at a remove from its employer to ensure compliance with the GDPR and enable the role as a go-between in any exchanges with the Data Protection Commissioner should the need arise.
This independence applies regardless of whether they are an employee or employed on a contract for services basis.
Employing bodies have a choice as to what form the appointment of a DPO is to take: whether it is possible to maintain adequate levels of independence while working in-house, or whether an external DPO will have the requisite insight to complete their duties. This choice must be addressed on a case-by-case basis.
The resulting success or lack thereof will likely depend very much on the attitude of the employing body involved, as much as the work of the DPO appointed, in whatever capacity that may be.