By Marina Benassi
Last December, the Article 29 Data Protection Working Party, the European advisory organ on Data Protection issues, published new Guidelines on the role of the DPO under the General Data Protection Regulation, (GDPR)[i]. This short article is meant to provide an overview of the main issues concerning the choice (or in some case the obligation) to appoint a Data Protection Officer (DPO).
Article 37 of the GDPR focus on the role of the DPO, describing this as that of a person (whether an employee of the organisation or an external counsel), who is given a formal responsibility for data protection compliance within an organization.
The main elements pertaining to this role can be summarized as follows.
1.OBLIGATION TO APPOINT
A huge misconception exists on this regard: regardless of whether or not the GDPR applies to a company, there is no general, abstract rule containing an obligation for all companies and organisations to appoint a DPO. Of course, the GDPR also leaves room for the single Member States to decide whether they will extend the DPO obligation to a wider range of Organisations. Nevertheless, for the time being, article 37 of the GDPR lays down the obligation to appoint a DPO for certain categories of businesses:
1- Public authorities/bodies: Any organisation that is a public authority or a public body must appoint a DPO. The GDPR does provide a definition of "public authority or body" and leaves it to the Member States to determine which organisations are to be considered. The Workgroup does recommend private companies performing public functions (for example in outsourcing) to appoint a DPO in relation to all activities of the company.
2- Organisations whose core activities require the systematic monitoring of individuals on a large scale: the key concepts here are “CORE ACTIVITIES & “LARGE SCALE”. With regard to this category, the Guidelines make it clear that the term "core activities" refers to the key operations necessary to achieve the main objectives of the relevant organization. The processing of health data by a hospital is a ‘core activity’ of the hospital or another health institution, but the processing of data by the IT department in the context of the provision of internal IT services of a company, as well as the payroll activities performed by HR must be considered an ‘ancillary’ activity. Regarding the condition of processing on a ‘large scale’, elements as the geographical scope, the number of data and concerned data subjects are all elements of consideration. An individual physician will not process data on a ‘large scale’ but a bank processing customer’s data or an insurance company, or again a service provider or an advertising company processing data for behavioural advertising, will.
3-Organisations whose core activities involve the processing of sensitive personal data or data relating to criminal convictions. The processing of personal data involving criminal activities is not the ‘core activity’ of a criminal lawyer, but your favourite shop keeping ‘in touch’ with (the needs and desires) of its clients by fidelity/loyalty cards might very well fulfil the description of a ‘core activity’ finalized to the processing of (sensitive) data. This condition sees also on the tracking and profiling of individuals on internet, but also on location tracking by mobile apps, fitness-trackers, health-trackers, CCTV monitoring and- of course- the collection of personal data through connected devices such as smart-meters and, of course, smart/connected cars.
B. OPTIONAL APPOINTMENT
Even if an organisation does not fall in any of these categories, it could still be wise to appoint a DPO. A DPO can in fact provide additional expert supervision and improved certainty in case of disputes. The Guidelines are in favour this kind of appointment. Some organizations opt for appointing, other staff/consultants/advisors to perform the tasks relating to data protection compliance, instead of a DPO. This is possible. The Guidelines indicates hat these staff should not be called ‘DPO’ to avoid confusion.
C. WHO CAN I APPOINT?
i- A DPO can be appointed for a corporate group, (or several companies within the group), provided that he or she can easily reach each business location he is responsible for. The appointment of such a ‘Group DPO’ is certainly desirable when a certain level of homogeneity exists between the entities.
ii- Another option, is to appoint a DPO TEAM, covering different geographical areas.
iii- The choice is left open to appoint DPO (Team), or an external one (one or more consultants). Small companies may find the appointment of an external DPO, sharing its time between more appointments, financially more viable than that of employing a professional on a full-time (or part-time) basis.
One relevant issue to consider in the case of international companies and organisations, is constituted by the possible language barrier. Having regard to the many different languages spoken within the EU and the possible multiple locations of the organization it will not be possible envisage one person capable of communicating in all the official EU languages to be able to communicate with national Authorities which will not always be fluent in English. Aside from the linguistic problems, also some fundamental (quite certainly) remaining differences among the national legislation of the Members States must be considered. On these grounds, it appears that an EMEA DPO (or any DPO who is appointed on behalf of a group with multiple international locations within the EU), should necessarily be put into the condition of being able to fall back on local experts/referents (whether external or internal to a company) to properly perform the required tasks.
D. KNOWLEDGE (yes, it is a real job)
This role is not a mere formal appointment. The GDPR requires that a Data Protection Officer has demonstrable expert knowledge of privacy, (ideally) IT law and data security. Simply appointing one of your current employees or a manager as a DPO is not enough and can be dangerous (see further under G). A mere grasp of some basic privacy concepts is insufficient for this role, which requires a very good understanding of the specific legislation and of the data processes specific to the company.
The DPO must be autonomous (i.e., the business must abstain from instructing the DPO on how to complete his or her tasks) and fully independent (he or she must avoid any conflict of interests). It must be stressed that most senior positions within a business are likely to conflict with the duties of the DPO (e.g., director, chief executive, chief operations, chief financial/head of finance, head of marketing, head of HR or head of IT). Only a few months ago, a Bavarian company was fined by the German Authority (Bayerisches Landsamt fur Datenschutzaufsicht), for the appointment of a IT Manager as DPO[ii]. According to the German Authority, the appointment was deemed to create a conflict of interest between the two roles, because the IT Manager has normally quite a relevant role in the management of data protection activities, overseeing the deployment of specific instruments, policies and tools and therefore provide no guarantee for an unbiased approach. While it is not necessary to preclude a DPO from covering other roles within the organisation, the DPO should never oversee possible decision making tasks concerning IT and personal data processed by the company. Even if the decision concerns Germany, it can be viewed as providing a very good indication of the future tendencies under the Regulation.
To help ensure that DPO’s are autonomous and independent, this role is protected under the GDPR from unfair dismissal/termination for reasons relating to their performance of the DPO role. Of course, a DPO who is an employee of the company may also benefit from the protections afforded by local employment law in some EU Member States. Of course, the GDPR does not protect a DPO from dismissal/termination for reasons that are not connected with their performance of the DPO role, (e.g., gross misconduct, etc.), but organizations cannot remove a DPO merely because he or she adopts an approach to data protection compliance which is considered too conservative by the Management. If an organization appoints an external contractor as its DPO, the protections afforded by the GDPR also apply to such external contractor (e.g., no unfair termination of the service contract for activities as DPO is allowed).
G. TASKS (this is it)
Article 39 (1) of the General Regulation lists a series of tasks which must be performed by the DPO, he or she:
- is the one who must create awareness and provide training in the field of data protection;
- must monitor the organisation’s compliance with the GDPR, and advising the business on data protection issues;
- provides a fundamental link between the Authority/Authorities and the organisation and is the contact point the Data Subjects;
- has a role in carrying out data protection impact assessments. (NOTE: Such a Data Protection Impact Assessment should be realized before any high-risk processing is contemplated);
- is supposed to take a risk-based approach, ensuring that high-risk processing activities are prioritised;
- is involved in any other data protection related tasks indicated by the organization.
H. ACCOUNTABILITY (it may be not so dangerous as it seems)
The task of the DPO to monitor the business's compliance with the GDPR does not lead to individual liability of the DPO for non-compliance by the organization. The Management of the company may disagree with the advice given by the DPO and the organization is by no means required to follow the DPO's advice. However, the Guidelines then require the business to document in writing the reasons for not following the DPO's advice.
I . CONCLUSION:
Organisations should consider very carefully whether to designate a DPO, bearing in mind that:
(i) the Article 29 Working Party’s Guidelines make it clear that all organizations should consider voluntarily appointing a DPO;
(ii) if an organization chooses not to appoint a DPO, the Guidelines recommend that records should be kept of the reasons behind that decision, to be able to demonstrate that all relevant factors have been properly considered.
(iii) organizations appointing a DPO must provide the DPO due access to all the resources and all the necessary support to fulfil the role, ensuring the DPO can act independently and in complete autonomy.
(iv) organizations need to make sure that an appropriate, competent, DPO is appointed, with the necessary expertise and knowledge.
(v) do keep in mind that the appointment of a DPO should not be delayed until enforcement of the GDPR as it can become difficult to find a suitable candidates (still)available.
(vi) failing to fulfil the obligations regarding the appointment and support of a DPO can prove very expensive: the fines prescribed by the GDPR apply, up to a maximum of the greater of €10 million or 2% of worldwide turnover.
Questions or doubts regarding the appointment of a DPO? Do you want how to best prepare for the GDPR? Not sure how the new Privacy Regulation will affect your organization? You can contact firstname.lastname@example.org.