What liabilities for the data protection officer?
The role of the data protection officer is one of the most controversial changes introduced by the EU Privacy Regulation. What liabilities and obligations are on him?
Updated on 27 April 2017 after the publication of the final version of the WP29 Guidelines on the data protection officer
As part of the series of blog posts on the major changes introduced by the EU Data Protection Regulation (GDPR), here is an article on the new roles of the “data protection officer” (DPO). This role was already provided by the privacy legislation of some country, but it now becomes compulsory in some circumstances. You can review the other posts of this series below
When is the appointment of a DPO compulsory?
The most relevant circumstances where the GDPR requires to appoint a data protection officer are
- when the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale e.g. in the case of telecom operators, banks, insurance companies or hospitals, but also of any entity using Internet of Things technologies that require the monitoring of individuals; and
- when the core activities of the controller or the processor consist of processing on a large scale of special categories of data (e.g. health related or biometric data) or personal data relating to criminal convictions and offences, such as again in the case of hospitals, but also of companies exploiting eHealth technologies.
According to the Guidelines on the role of Data Protection Officers issued by the Article 29 Working Party (the “WP29 Guidelines“), organisations should document the internal analysis that led to the decision of appointing or not the DPO. This analysis would be part of the documentation under the accountability principle.
Also, what are the “core activities“, a “large scale” of personal data and a “regular and systematic monitoring” for the purposes of the definition above is something to be assessed on a case by case basis bearing in mind that
- a core activity includes anything that is essential to run the core business of a company e.g. the core business of a hospital is to provide health treatments that cannot be performed without processing health related data,
- a large scale of data needs to be assessed based, among others, on its number, volume, duration and geographical extent and
- a regular and systematic monitoring of data occurs in case of ongoing, recurring or constant monitoring of data which has been pre-arranged.
The appointment can compulsory for not only the data controller, but also the data processor. There might be a single DPO for a group of companies, but it is essential to ensure his accessibility and availability which makes such option quite difficult in large groups.
Also, the appointment can occur on a “voluntary basis“, but if in such case the intent is just to have an internal privacy expert that monitors privacy compliance, the matter should be carefully addressed to avoid confusion with the role of the DPO.
Who shall be the data protection officer?
1. What skills are required?
The data protection officer does not necessarily needs to be a lawyer, but the WP29 Guidelines refer to a level of expertise, skills and professional qualities adequate to the role, also recommending the performance of training courses. This means that in large and complex organisations, it might be difficult that the same individual might be an expert in considerably different areas.
2. Does the DPO have enough time to be dedicated to the role?
Under the GDPR, the controller shall ensure that the DPO is “involved, properly and in a timely manner, in all issues which relate to the protection of personal data” and has “sufficient time [—] to fulfil their duties“.
It is possible to have an officer that is not full time dedicated to the role of DPO, but this shall be assessed on the specific peculiarities of each scenario, taking into account the complexity of the other non-DPO related duties and the complexity of the data protection issues to be dealt by the company.
3. Is the DPO independent?
According to the GDPR, DPOs should be in a position to perform their duties and tasks in an independent manner. They should not receive internal instructions on how to perform their tasks and on which position they should take. But the decision maker remains the data controller/processor which might even dissent from the DPO’s view.
Likewise, DPOs should “not be dismissed or penalised by the controller or the processor for performing [their] tasks” e.g. the DPO cannot be dismissed because the company dissents with his position. However, the WP29 Guidelines do not clarify whether the DPO might be dismissed/penalised since the company reaches the conclusion that he is not appropriate for that role. The matter is very delicate and might lead to abuses by DPOs which render the option of outsourcing it even more attractive.
As mentioned above, the DPO can be an employee that performs other duties, but these do not have to result in conflicts of interest.Indeed, this is interpreted by the WP29 Guidelines in the sense that the absence of conflicts of interests entails that the DPO cannot hold a position within the organisation that leads him to determine the purposes and the means of the processing of personal data. And for instance the CFO, the COO, the CTO and the CMO are all roles that would be in a conflict of interest as in some circumstances they shall investigate misconducts to which he contributed themselves.
Also, such independency requires that the DPO can “directly report to the highest management level of the data controller“. Indeed, the rationale is that, in absence of such direct reporting, the DPO’s recommendations could not be directly submitted to the top management.
Can the DPO be outsourced or shall be a team?
The role of the data protection officer might be outsourced to an external organisation e.g. (a law firm) which shall meet the criteria required by the GDPR to perform the role. In this respect, I believe more in the appointment of an external DPO within an organisation rather than of an organisation as a whole.
It should considered in any case that the WP29 Guidelines provide for the appointment as DPO of also a team of individuals which might be different employees of a company or of an external supplier. And indeed, in my view it is recommendable the option to have an internal committee that meets periodically to support the activity of the DPO and ease the performance of this role.
What is the role of the DPO?
The Data Protection Officer shall be “involved, properly and in a timely manner, in all issues which relate to the protection of personal data“.
According to the WP29 Guidelines, the DPO shall in particular
- collect information to identify processing activities,
- analyse and check the compliance of processing activities,
- inform, advise and issue recommendations to the controller or the processor,
- cooperate with the data protection authority and act as a contact point for the data protection authority on issues relating to processing.
And a particular active role for instance is carried out for instance in the performance of the privacy impact assessment that shall be guided by the DPO. But the WP29 Guidelines even recommend to adopt internal guidelines on when the DPO shall be consulted.
If you found this article interesting, please share it on your favourite social media!
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at firstname.lastname@example.org or email@example.com or via phone at +39 334 688 1147.