The UK Information Commissioner’s Office (ICO) has issued a resource for organizations to utilise when hiring and structuring the roles of data protection officers (DPO) under the General Data Protection Regulation (GDPR). This blog summarises several key elements of these resources.
The checklist contains four sections which include:
- Appointing a DPO – across situations where a DPO is required to be appointed, and also where one is not expressly required but one has been voluntarily appointed.
- Position of the DPO – outlining the reporting structure, involvement in all issues relating to data protection, resources available to a DPO, and independence and freedom from conflicts in one’s capacity in the DPO role.
- Tasks of the DPO – setting out the roles and responsibilities of the DPO, including compliance, training and audits, as well as acting as a contact point for the ICO.
- Accessibility of the DPO – announcing the DPO as the accessible point of contact for employees, individuals, the ICO, and stating that the DPO should have their contact details published and communicated to the ICO.
An organisation must appoint a DPO if:
- It is a public authority or body (other than a court acting in a judicial capacity); or
- Its core activities require regular and systematic monitoring of individuals on a large scale (which include tracking online behaviours); or
- Its core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
Core activities are primary business activities of an organisation (such as a retailer monitoring online searches and purchases of customers to offer shopping recommendations), which is distinguishable from processing data for secondary purposes (such as for payroll). These requirements apply to controllers and processors, and even if the GDPR does not require your organisation to appoint a DPO, all organisations must have sufficient staff and resources to meet obligations imposed by the GDPR. A DPO – even one that is voluntarily appointed absent requirements to do so – may be helpful in that advice can be provided as necessary, and compliance and accountability improved. An existing employee may be appointed a DPO as long as there is no conflict of interest and the other professional obligations of the employee are compatible with a DPO role. A single DPO may be shared among several organizations as long as they can perform their tasks effectively, considering the scope of their responsibilities and available resources.
If an organisation determines it does not need to appoint a DPO, a best practice is to record that decision, and why this conclusion was made, to help demonstrate compliance with the GDPR’s accountability principle. For more assistance on determining if your organization requires a DPO, the ICO has provided a 5-minute question-and-answer module.
When structuring the role and responsibilities of a DPO, organisations must remember that DPOs must:
- Have experience and expert knowledge of data protection law (ideally in the relevant industry or sector) proportionate to the type of processing carried out by the organization and the level of protection that such personal data requires.
- Have direct access to the highest level of management without any intermediary.
- Be involved in all issues related to personal data in a timely manner.
- Be sufficiently well resourced to perform their duties.
- Not be penalised for performing duties under the GDPR, especially where the employee has other professional duties.
- Not be given any other tasks resulting in a conflict of interest with the role as a DPO.
DPO tasks and responsibilities
In accordance with article 39 of the GDPR, a DPO should:
- Monitor compliance with the GDPR and other data protection laws, as well as with data protection policies, which may include managing internal data protection activities, training staff and conducting audits.
- Provide advice and information on data protection obligations.
- Advise on and monitor the process of a data protection impact assessment (DPIA).
- Act as a contact point for the ICO, other supervisory authorities and for individuals whose data is being processed.
- Be responsible for assessing the risk associated with the processing being done, including the nature, scope, context and purposes of that processing.
Organisations must ensure that the DPO is closely involved in all data protection matters. The GDPR makes data protection a board-level concern, so the DPO should report to the highest management level of the organisation. They should also operate independently and not receive prejudicial treatment for performing their tasks – even though a DPO’s reporting obligations can put them at odds with their organisation in certain circumstances. Organisations must seek the advice of the DPO when carrying out data protection impact assessments. If an organisation determines that in certain instances it is not following its DPO’s advice, such reasons should be recorded for accountability purposes.
The DPO should be provided adequate resources (including sufficient time, financial support, infrastructure, and appropriate staff, where required) to enable them to meet their GDPR obligations. This will also enable them to maintain expert knowledge in the field. Similarly, DPOs should be given appropriate access to personal data and processing activities within their organisation, and to senior managers who are making decisions about processing of personal data.
A DPO can help their organisation/s to operate within the GDPR by advising and helping to monitor compliance. Therefore, a DPO plays a key role in organisation’s data protection governance structure and can be a valuable way to show accountability under the GDPR and also improve compliance with its requirements. Organisations should give careful consideration as to the nature, extent and impact of their data processing activities, as this impacts whether they are obligated to appoint a DPO.