Who is a data protection officer?
The data protection officer (DPO) is a staff member or contractor appointed by the controller or processor to ensure and demonstrate compliance with data protection law. This internal official must be an expert in data protection law and practices.
Under the GDPR (Article 37 – 39), the DPO is now a required position if:
- The controller is a public authority.
- The core activities of the controller or processor include regular and systematic monitoring of data subjects on a large scale.
- The core activities of the controller or processor consist of large-scale processing of special categories of data.
The first two categories are more obvious than the third category. One needs to look at the two key ingredients i.e. ‘special categories’ and ‘large-scale’ and make an assessment. Special Category Data is defined under Article 9 of the GDPR as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The term ‘large-scale’ is less clear and requires an assessment of the proportion of data processed by the business in its key day to day activities excluding internal personal data relating to staff.
Where a business is unsure e.g. it may process special category personal data but is unclear as to whether the amount is large enough, or if the business is confident that it is not mandated to appoint a DPO, it may decide to err on the side of caution as a matter of good management and assign ownership of all data protection/ privacy duties in a similar way to a person as a head or chief privacy officer.
You can appoint an external provider of data protection officer services under a services contract whether that be an individual or an organisation.
GDPR guidelines recommend having, in the service contract, a clear allocation of tasks within the external DPO and to assign a key person (where there is a team) to take charge. This should help to avoid any misunderstandings around the scope of the role and avoid conflicts of interest.
Note that although the EU doesn’t exclude a data protection officer from carrying out more than one business function, it is essential to ensure that no conflict of interest exists. Ideally, a DPO will be a standalone role but if they do perform another function, it should not be a function that involves key decision making in the areas of IT, HR, Marketing, Finance or general business activity. The role of the DPO should be a ‘check and balance’ autonomous role.
Tasks and responsibilities of a DPO
The DPO should have expert knowledge of data protection law. The tasks and responsibilities of the DPO are to:
- Ensure compliance and manage risk by e.g. monitoring GDPR compliance including, advising on data protection impact assessments; providing GDPR training to staff and conducting periodic internal audits.
- Advise the controller, processors and employees who carry out the processing, of their data protection obligations.
- Be a point of contact with the supervisory authority.
- Communicate with data subjects and the supervisory authority.
- Exercise professional secrecy.
Responsibilities of the Business i.e. the controller/ processor
Both controllers and processors have obligations in relation to the data protection officer, including appointing a DPO where required.
The following provisions for controllers and processors should be in place to help the DPO carry out its tasks unhindered:
- Facilitate communication with, and involvement of, the DPO in all issues related to personal data protection;
- Controllers and processors should involve DPOs in all personal data protection matters.
- Provide support to the DPO.
- Provide DPO with access to personal data and processing operations.
- Help the DPO maintain expert knowledge of topics and issues related to personal data protection.
- Ensure the DPO acts completely independently and does not receive instructions from anyone except the supervisory authority.
- Ensure the DPO is not dismissed or penalised for performing his or her tasks.
- Ensure that the DPO is not put in a situation that is a conflict of interest, such as a position that requires determining the purposes and means of processing personal data.
- Ensure that the DPO reports to the highest levels of management.
For more information and to purchase a General Data Protection Regulation (GDPR) Audit & Review and Report, please visit our GDPR ready audit page here.
CloudLegal can provide you with further advice if you need it!
Tel: 0800 6894168