Who is DPO exactly?
A Data Protection Officer is a new function within a company that is mandated by the new piece of privacy legislation that will apply in the entire European Union, starting with May 25, 2018.
Section 4 of the GDPR deals with Data Protection Officers. It explains their roles and their minimum obligations.
Data protection officers are individuals (who may be company employees already) who are involved in all privacy-related matters within a company. The DPO as pictured by the European lawmakers is an expert in privacy-related issues – ‘chief privacy officer’ of sorts.
Independence and Professionalism
The DPO should be independent and should not receive any instructions from the controller or the processor; they should not be able to influence the actions of the DPO. The DPO need not be a dedicated employee. Already employed individuals can work as a DPO as well, provided they are sufficiently educated.
DPOs are appointed by a company and this appointment should be on the basis of their professional qualities, although specific credentials have not been specified. While a DPO may be a staff member, a contract with an external consultant is also fine. A controller or a processor is required to notify the supervisory authority of the new DPO’s contact details.
Organizations must provide adequate resources for the DPO to perform their required activities. They must never be penalized for doing their job, even if the company does not take kindly to their findings. The DPO reports directly to the top management, precisely because their independence is so important.
What Are the Tasks of the DPO?
According to the GDPR, the DPO has a lot on their hands. The Data Protection Officer is responsible for informing and advising the data controller or processor and their employees on good practices and implementation of the provisions of the GDPR. The DPO should also oversee risk assessment and data processing depending on data sensitivity.
The DPO also, obviously, monitors such compliance and other policies regarding monitoring of protection of personal data. This includes audits, staff training and awareness-raising activities.
The Expert Advisor
The DPO also gives advice where requested and helps in making data protection impact assessments. They are also responsible for communication with the supervisory authority – they serve as a ‘contact point’ or a ‘one stop shop’ for the authority to contact the company. The same goes for data subjects (individuals) – the DPO is the first person they should contact if they have got a query or a complaint.
The DPO is bound by secrecy and confidentiality not to expose any private company data. They are allowed to fulfil other tasks, as long as they do not create a conflict of interest. If a data breach occurs, they must be notified at once.
Who Has to Appoint a DPO?
Organizations which perform large-scale data processing and collecting, including behaviour tracking or collections of personal profiles must appoint a DPO. This is doubly so if their monitoring is regular and systematic, which it usually is.
Any kind of processing based on sensitive data (protected categories of data like race, sex, health, race, criminal files, biometric data etc.) also requires a DPO to be appointed. Some Member States may require by law the appointment of a DPO (Germany has already got a similar scheme).
Of note is that public authorities also must appoint a Data Protection Officer.
A single Data Protection Officer may perform the tasks mentioned above for more than one company, taking into account the work load – which in turn depends on the size of the company. Large companies would obviously require a dedicated DPO, with possibly an entire team dedicated to privacy issues.
As you can see from the above paragraphs, these requirements are very vague and non-specific. What constitutes ‘large-scale’ has unfortunately not been explained. This is an issue, but in general, if you are unsure, you likely need to hire a DPO. A regulatory authority should be able to give a definitive answer, but so should you if you do your record-keeping properly (which is required in any case for compliance).
Failure to do so can result in significant fines, up to 2 percent of the company’s worldwide turnover or EUR 10 million, whichever is greater. So, trying to save money by not employing a DPO would be very unwise to say the least.
Besides, a DPO can bring benefits by reducing the administrative burden imposed on other employees as a consequence of ensuring compliance with the GPDR. In fact, the official recommendation is to hire a DPO even if not required. A well-educated DPO can save an organization thousands of euros in fines resulting from ignorance of the applicable laws and regulations.
DPOs: (Almost) Mandatory
We therefore expect most companies doing any kind of data processing to eventually hire a DPO – or share one, depending on their size, mainly due to fears of steep fines. However, what they might find is that a good DPO can enhance and streamline the way they approach data processing. They could possibly even bring cost benefits. In any case, the company will also reduce their risk of data breaches or negligent handling of personal data. Breaches alone can cost much more than a DPO does, both in financial damage and damage to their reputation. It remains to be seen if this will be the case soon enough.