GDPR acknowledges the 'value of privacy on the ground' by requiring the designation of a GDPR data protection officer. This must be done to comply with the new regulation.
Guidelines on Data Protection Officers
Article 37 of the General Data Protection Legislation states that data controllers and processors must designate a data protection officer in the circumstances:
- All public authorities, and where the core activities of the controller or the processor involve regular and systematic monitoring of data subjects on a large scale.
- Where the entity conducts large scale processing of ‘special categories of personal data’. Examples of this include: racial or ethnic origin, political opinions, religious or philosophical beliefs.
Article 37 allows a group of undertakings to designate a single DPO (Data Protection Officer) provided he or she is easily accessible from each establishment. In order to ensure that the DPO is accessible it is important to ensure that their contact details are available in accordance with the requirements of the GDPR. He/She must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. The personal availability of a DPO is essential to ensure that data subject will be able to contact the DPO.
The DPO is bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with union or member state law.
What skills should our Data Protection Officer have?
- Level of expertise
While not specifically stated in the new regulation a number of items should be taken into consideration; the sensitivity, complexity and amount of data an organisation processes, how complex an organisation’s activity is, and whether an organisation systematically transfers personal data outside the EU or whether such transfers are occasional.
- Professional Qualities
Again Article 37 does not specifically state what these qualities should be, however DPO’s should have expertise in national and European data protection laws and practices and an in-depth understanding of GDPR.
- Ability to fulfil tasks
This refers to both personal and professional knowledge. Personal qualities include integrity and high professional ethics. Professionally the DPO should be well briefed in principles of data protection by design and default, records of processing, notification and communication of breaches.
What are the tasks of the DPO?
- Monitoring compliance with the GDPR
The DPO is entrusted (among other duties) with the duty to monitor compliance with the General Data Protection Regulation, meaning the DPO should assist the controller or the processor to monitor internal compliance with this regulation. However, monitoring of compliance does not mean that the DPO is personally responsible if there is an instance of non-compliance.
- The DPO’s role in a data protection impact assessment
Article 35 states that it is the role of the controller, not the DPO, to carry out a data protection impact assessment, however the DPO can play an import and useful role in assisting the controller. Article 35 specifically requires that the controller shall seek advice of the DPO when carrying out a data protection impact assessment.
- Risk-based approach
Article 39 recalls a general and common sense principle which may relevant for many aspects of a DPO’s day-to-day work. It requires DPO’s to prioritise their activities and focus their efforts on issues that present higher data protection risks.
- The DPO’s role in record keeping
Under the GDPR, Article 30 it is the controller or the processor, not the DPO, who is required to maintain a record of processing operations under its responsibility. However, the controller may assign this as a task of the DPO. In any event the record required to be kept under Article 30 should also be seen as a tool allowing the controller and the supervisory authority, upon request. To have an overview of all the personal data processing activities an organisation is carrying out.