Introduction to the General Data Privacy Regulation
The General Data Privacy Regulation (GDPR) governs how the personal data of EU citizens can be collected, transmitted, processed and stored inside and outside of the EU. GDPR went into effect on May 25th, 2018. As part of GDPR, the role of Data Protection Officer (DPO) has become very significant in organizations processing EU citizens’ personal data.
A Data Protection Officer is the person in charge of ensuring organizational compliance with the data protection regulations outlined in GDPR. In this article, we’ll discuss the responsibilities, role requirements and duties of a DPO as well as when an organization is required to appoint one.
Responsibilities of a Data Protection Officer
Article 39 of the General Data Protection Regulation defines the minimum necessary duties of a Data Protection Officer. These include the following:
- Providing information and advice to data processors, controllers and other affected employees of their obligations under GDPR and other EU Member State regulations
- Monitor compliance with GDPR and other regulations and policies, perform audits and provide training, awareness-raising and assignment of related responsibilities
- Provide advice on and monitor performance of the data protection impact assessment (defined in Article 35 of GDPR)
- Cooperate with the supervisory authority
- Act as the point of contact between the organization and supervisory authority
The duties of the Data Protection Officer are also protected under the General Data Privacy Regulation. GDPR provides the following specific instructions to organizations regarding the DPO (Article 38):
- Data Protection Officers should receive no instructions about how to perform their duties
- The Data Protection Officer cannot be fired or penalized for performing their duties
- The Data Protection Officer reports to the highest level of management of the data processor or controller
While a Data Protection Officer is tasked with monitoring how an organization processes protected data, the organization is responsible for compliance with GDPR. The organization is responsible for ensuring that the Data Protection Officer is involved in any issues relating to protection of personal data.
The role of Data Protection Officer is also partially a public-facing role. Under GDPR, data subjects have a number of rights and protections when their data is being processed by an organization. One of these rights is the ability to reach out directly to an organization’s Data Protection Officer. A DPO is responsible for responding to these requests for information and protecting the data subject’s rights as defined by GDPR.
Conditions Where a Data Protection Officer is Necessary
For some organizations, having a Data Protection Officer (DPO) is a mandatory requirement under GDPR. In all other organizations, it is optional but recommended as best practice. The decision of whether or not an organization needs a DPO is not based on the size of the organization (there are no size exemptions) but on the data processing operations performed by the organization.
Article 37 of the General Data Privacy Regulation specifies three criteria which make appointment of a Data Protection Officer mandatory:
- The organization processing the data is a public institution (unless it is a court acting in their judicial role)
- Regular, systematic monitoring of data subjects on a large scale is part of the core job role of the data controller or data processor
- The data controller or processor’s core duties involve large-scale processing of certain protected types of data (defined in Articles 9 and 10 of GDPR)
If any of these criteria are met, an organization is required to appoint a DPO. These are the requirements based on the GDPR regulation, but member states of the EU can enforce more stringent requirements if they choose.
DPOs can be internal or external to the organization and multiple organizations can share a DPO if the DPO is easily accessible from all of the organizations. Also, the role of DPO can be in addition to the employee’s normal duties as long as the other duties do not create a conflict of interest.
Although appointment of a Data Protection Officer may be optional for some organizations, the decision to appoint one obligates an organization and the DPO to fulfill all of the relevant requirements outlined in GDPR.
Requirements to Become a Data Protection Officer
The requirements for becoming a Data Protection Officer, as laid out in the General Data Privacy Regulation, are fairly broad. The exact requirements are laid out in Article 39 Section 5 of the regulation and essentially require the following three attributes:
- Having professional qualities
- Be an expert on data privacy laws and practices
- Be able to perform the necessary duties of the Data Protection Officer
Beyond the description provided in the text of GDPR, Article 29 Working Party (a group created by the EU to provide guidance about data privacy) provides more guidance and interpretation regarding the requirements of the DPO in its Guidelines on Data Protection Officers. It states that the level of experience and regulatory knowledge required of the Data Protection Officer depends on the complexity of the data processing operations under their oversight. More complex operations may require a higher level of knowledge and experience in the DPO. Additionally, it is helpful if the Data Protection Officer understands the data controller’s business sector and organization in order to provide them with the best possible guidance.
If a Data Protection Officer has the knowledge and skills to perform their necessary tasks, the only other explicitly-recommended professional quality is a high code of ethics. The DPO’s highest priority should be the enforcement of the General Data Privacy Regulation.
Performing the Duties of a Data Protection Officer
The primary duty of a Data Protection Officer is to be a resource to the organization regarding the requirements of properly processing and protecting personal information. Beyond the minimum requirements outlined in Article 39, there are not many requirements regarding how DPOs should perform their duties. In fact, GDPR specifically states that DPOs should not be given any instruction regarding how to perform their role by the organization that they serve.
In order to guide Data Protection Officers in how to do their jobs, GDPR recommends a risk-based approach to identifying and prioritizing necessary tasks within their organization. For example, if an organization is required to have a Data Protection Officer simply because it is a government organization, it’s probably a low priority to drill employees on the special types of protected data if there is no chance that they will be required to deal with them as part of their usual duties.
A DPO’s duties will primarily consist of monitoring the various data processing operations under their oversight and providing GDPR-related guidance. DPOs may keep inventories of the different processing tasks being performed under their oversight, but the responsibility of recording the processing tasks being carried out lies with the data controller. However, these duties can be assigned to the Data Protection Officer outside their role as a DPO, which may help them in performing their duties.
One required task of a data controller is performing a Data Protection Impact Assessment (DPIA), and the controller is specifically instructed to seek the advice of the DPO when performing this assessment. A Data Protection Officer should be familiar with the terms of this assessment, the relevant guidance within GDPR, and the ways in which they can assist the data controller in performing the assessment.
Understanding the Role of the Data Protection Officer
An organization’s Data Protection Officer is largely an advisory role designed to ensure that organizations performing data processing that falls under the purview of GDPR have an expert on the regulations readily available to them and to the supervising authorities (in the case of an incident). The Data Protection Officer is supposed to train employees on GDPR regulations as well as performing audits and offering advice to ensure GDPR compliance. The requirements for the role are mainly that the DPO has the ability to perform the tasks required of them.
Guidelines on Data Protection Officers, EC Europa
Data Protection Officer, GDPR