Significant steps must be taken to ensure your organisation achieves and maintains compliance with the GDPR. There are operational implications to consider and many practical issues to address as part of the process. One of the most important ones is deciding whether or not your organisation needs a Data Protection Officer.
GDPR makes the appointment of a DPO mandatory for organisations whose core activities involve the “regular and systematic monitoring of data subjects on a large scale” and those that conduct large scale processing of “special categories of personal data” [designation of DPO – Article 37; “Special Categories” outlined in Article 9]. Based on these stipulations, many organisations fall outside the general mandatory designation requirement but domestic regulators are free to extend it so in many EU countries the threshold is wider; in Croatia and Germany, for example, an exemption will apply to only a very limited number of organisations. DPO appointments can also be made on a voluntary basis; it’s important to note that a voluntary designation is subject to the same strict requirements under GDPR as a mandatory one.
While the Data Protection function is likely to exist within your organisation at the moment, GDPR imposes much stricter conditions so if you decide you must or should appoint a DPO, designating the role to somebody as a tack-on to their day job is probably not a good idea.
Whether it’s a mandatory or voluntary designation, there’s no question it’s a significant investment and a major part of your GDPR preparations and the process of recruiting or training a suitable individual should begin tas soon as possible; not least because the skills and expertise they bring can be used to guide you through your GDPR preparations.
The DPO must be “designated on the basis of professional qualities” [Article 37.5]. They must have:
- Expert Knowledge of Data Protection law and practices – though GDPR does not specify qualifications;
- The Ability to carry out the required tasks set out in GDPR – implicit in this requirement is that the DPO has seniority and autonomy within the organisation and access to sufficient time, personnel, budgetary and other resources as well as the skillset to carry out the role;
- The Ability to deal with Internal & External stakeholders – the DPO is the point of contact for the Board and employees, the Data Protection Commissioner and other supervisory authorities, and Data Subjects for Data Protection practices – withdrawal of consent, the right to be forgotten and other related rights;
- The Independence to fulfil the role, i.e. no Conflicts of Interest with another of their roles;
- The Availability to match the time demanded by the role.
[Article 39 sets out the minimum tasks of the DPO]
The DPO must at least:
- Inform & Advise the Board and personnel of their GDPR and other Data Protection obligations;
- Monitor the organisation’s compliance with all applicable Data Protection obligations – including internal / contractually imposed policies, and
- Assign Responsibilities
- Raise Awareness
- Train Staff
- Related Audits;
- Advise on DPIAs and monitor their performance and compliance with the requirements of GDPR’s Article 35;
- Cooperate with the Supervisory Authority;
- Act as the Contact Point for the Supervisory Authority on issues relating to processing; and must, in the performance of their tasks
- Consciously consider the risks associated with the organisation’s processing operations.
GDPR expressly says that a DPO can be an employee or a contracted service [Article 37.6].
If you opt for a staff member (existing or new hire), the designated person can be full or part-time, it can be a team or one person in a single or dual role.
On the other hand, you might determine that appointing an external contractor is the better option for your organisation.
The important thing is that you should be satisfied that the appointee can carry out their role effectively and that should they have another role it does not conflict or otherwise interfere with their DPO tasks.
… there you have it. To appoint or not to appoint and, if so, who will it be? There are many things to consider in the decision process, the most significant of which is that the that the DPO is a regulated function – a failure of which could lead to a breach of the GDPR and as such to a significant financial sanction. Make sure you take the time to consider all of your options to ensure that you make the best possible decision for your organisation’s particular needs.
By: Fiona Kiely
Published: August 2017
Modified: January 2018
To learn how CalQRisk can help your organisation in fulfilling its GDPR obligations, contact us today.