Professional Regulation Update - Data Protection Officers

Professional Regulation Update - Data Protection Officers's Tags

Tags related to this article

Professional Regulation Update - Data Protection Officers

Published 8 septiembre 2017

From 25 May 2018 it will be mandatory for many organisations to appoint a data protection officer. The GDPR describes the role and tasks of a data protection officer and provides them with a certain protected status. The role can be outsourced and organisations need to consider what they are required to do and what will work best for them.

Do we need a data protection officer?

Under the GDPR, an  organisation (be it a data controller or data processor) is required to appoint a data protection officer (DPO) :

  • It is a public body (although it is up to each country to determine what constitutes a public body);
  • Its core activities require regular and systematic monitoring of personal data on a large scale; or
  • Its core activities involve large scale processing of sensitive personal data.

It is not straightforward for many organisations to determine whether they come within either of the latter two categories and they should seek specific advice. For example, organisations in the health sector process sensitive personal data and so may be captured by the third category. In general, GPs, dentists and pharmacies will not be covered as they will not be processing on a large scale. However, some pharmacy groups or other health groups may be covered if they process health data centrally.

Voluntary DPOs

The Article 29 Working Party (a group of all the European data protection regulators) encourages the voluntary appointment of a DPO even where it is not mandatory (see here). However, if a DPO is appointed voluntarily, the same obligations which apply regarding mandatory DPOs will also apply. The obligations of a DPO and requirements around the role are, as described below, quite prescriptive and many organisations may be reluctant to follow this path. However, given the  role of data in many businesses and the risks associated with using it inappropriately, many relatively small and medium organisations view a DPO as beneficial.

Who can be a DPO? DPOs must be selected on the basis of professional qualities and expert knowledge of data protection law, but do not need to be legally qualified. The required level of expertise is not strictly defined but it must be commensurate with the sensitivity, complexity and amount of data an organisation processes.

Can it be outsourced? Yes, DPOs can be either an employee or external contractor. Any DPO appointed must meet the GDPR's requirements regarding impartiality, accessibility and knowledge of the organisation. The terms of any external appointment should be clearly set out in a service contract.

What about group companies? Group companies can appoint a single DPO, provided the DPO is easily accessible for all within the group. A single DPO can be appointed by a group of public bodies depending on their size and structure. While an organisation can only designate one DPO, he or she can be supported by a team. This overcomes some of the hurdles that might otherwise exist in relation to accessibility and the volume of work required in larger organisations.

DPOs can't be by-passed

  • The DPO effectively has a special “protected status”.  He/she must report directly to the highest level of management and cannot be dismissed or penalised for performing his / her tasks. This may create challenges for employers if there are legitimate performance management issues;
  • He/she must be independent, i.e. there should be no conflict of interest in the execution of his/her duties. This means that CEOs, COOs, CFOs and those in charge of marketing, HR and IT cannot be DPOs. He/she must not be instructed on how to carry out the required tasks;
  • Organisations must (i) inform DPOs of all data protection issues within the organisation in a proper and timely manner and (ii) provide him/her with the necessary resources to carry out his/her tasks;
  • Organisations need to put in place 'secure means of communication' between employees and the (internal or external) DPO to ensure the confidentiality of their exchanges.

What do DPOs do?

The minimum duties of a DPO include:

  • informing and advising the organisation and employees processing personal data of their obligations;
  • monitoring compliance with the GDPR;
  • acting as a point of contact for data subjects and data protection regulators;
  • advising on data privacy impact assessments and monitoring their impact.

DPOs can carry out other tasks along with their data protection duties. However, the organisation is required to ensure there are no conflicts of interest in the execution of such duties.

Practical Steps

Organisations should:

  1. Consider whether they're required to have DPO and if not whether they wish to appoint one voluntarily.
  2. Keep a copy of any analysis regarding whether or not a DPO is required, as this assessment falls within the scope of their wider accountability obligations.
  3. If there is an existing DPO, review his or her job specification and consider whether it's still fit for purpose.
  4. Consider the practical issues around appointing a DPO.
  5. Consider jurisdictional issues and whether multiple DPOs or a single DPO should be appointed and whether a support team is likely to be required.

Authors

Aidan Healy

Aidan Healy

Dublin

+353 (0)123 19669

< Back to articles