GDPR: a Data Protection Officer

The General Data Protection Regulation (GDPR) obliges organisations to have a Data Protection Officer (DPOr, often also DPO abbreviated but this gives confusion with Data Protection Office). Another confusion is created because the GDPR intends that a DPOr protects personal data, while the wording DPOr can include all other type of data, moreover protection may give a connotation with technical expertise.

According to the GDPR (art. 37), a DPOr is mandatory if one of following conditions is met:

-         The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

-         The core activities of the controller or the processor consist of processing operation which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;

-         The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 (the so-called sensitive data (race, political preference, …)) or personal data relating to criminal convictions (Art. 10).

The draft Regulation mentioned still companies of 250 FTE’s or more, but this obligation is dropped. If your company does not respond to one of the three conditions, a DPOr is not mandatory. This does not mean that it is not wise to appoint one nevertheless: it is always a big help and a better guarantee that privacy rules are complied with.

Qualities of a DPOr

The DPOr may be a collaborator but also an external person. He/she may be full time or part-time. The main conditions to respect are:

-         Be competent (designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks);

-         being available (read able to spend the time required to do the job)

-         The name must be communicated to the control authority.

What is the position of a DPOr?

-         The controller (or processor) must involve the DPOr timely and properly (best is at the kick-off of each project involving personal data).

-         The DPOr must get full support of the controller (or processor), including get the necessary resources to carry out his/her tasks, have access to all personal data processing, and get the necessary training to keep up his/her expert knowledge;

-         The controller or processor may not give any instruction on how the DPOr should perform his/her tasks

-         The DPOr must report directly to the highest management level;

-         Data subjects must be able to contact the DPOr (in the execution of their rights)

-         The DPOr is bound by secrecy or confidentiality concerning the performance of his/her tasks and duties.

-         And last but not least: controller or processor must ensure that there is no conflict of interests (e.g. internal collaborators should not combine the function of DPO with functions creating potential conflicts: a golden rule is that privacy officers are like compliance officers (they can even be both in the compliance department). Less good combinations are e.g. head of Legal and DPOr, or CISO/BISO and DPOr.

 The tasks of the data protection officer (art. 39 GDPR): These are the minimum tasks: 

-         To inform and advise the controller (or processor) and the employees who carry out processing of their obligations to Privacy law;

-         To monitor compliance with the GDPR (or other privacy laws), including the assignment of responsibilities, awareness-raising and training of staff, and the related audits;

-         To provide advice where requested as regards the Privacy Impact Assessments and monitor its performance;

-         To cooperate with supervisory authorities

-         To act as contact point for the supervisory authorities on processing issues (especially those where prior consultation of the supervisory authority is mandatory);

-         The DPOr must take into account the risks of the processing (considering the nature, scope, context and purposes of the processing)

Conclusion: the DPOr must oversee compliancy with privacy legislation, fair processing, respect of the legal basis’s, the purposes, transparency, information to the data subjects (e.g. privacy notices), accuracy of the processed data, etc. The DPOr provides the necessary policies, instruction notes, advices, puts together the Information Security Policy, monitors risks and where necessary veto the non-compliant processing, protects the rights and freedoms of the data subjects. In order to do this the DPOr imposes a set of technical and organisational measures.

The DPOr is as well the guarding dog within an organisation as he/she is the contact point for data subjects, authorities, staff and all stakeholders when privacy issues are involved.

Koenraad Veltmans, founder and consultant Privacy Intelligence