Appointing a Data Protection Officer

 

You’ve decided, because of either the size and operating scope of your business or the nature of the data processing involved, that you need to appoint a Data Protection Officer (DPO) to comply with Article 37 of the General Data Protection Regulation (GDPR). Alternatively you might just think it’s simpler to have one person dealing with your data protection obligations.

Adding on the role to your IT Manager?

You may, if you haven’t looked into the topic too closely, toy with the idea of adding the role to the duties of your IT or operations manager.  At first glance that would seem an obvious step to take since the person responsible for running your IT and ensuring that your network functions securely is already protecting your data.

 

However, should you either examine the requirements yourself or take advice on the subject you’ll find that the role of the Data Protection Officer requires an unusual skill-set and a remit that carries complete autonomy – which we’ll take a look at once we’ve identified what a DPO is expected to do.

How Does Your DPO Job Description Measure Up?

Let’s take a look first at what GDPR describes as the minimum responsibilities of a DPO, as laid down in Article 39.

 

The data protection officer shall have at least the following tasks:

 

  1. To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
  2. To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  3. To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
  4. To cooperate with the supervisory authority;
  5. To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

 

The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

 

We’ll break all of this down into reader-friendly English later (one comment about the GDPR is that it’s such a long document with so many cross-references that one has to absorb oneself in it for a few days to get a true feel for it).

 

Article 38 sets out what the DPO must have once appointed, including resources and ready access to senior management (at board level) and the autonomy required to fulfil the role without interference.

 

  1. The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
  2. The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
  3. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
  4. Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
  5. The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
  6. The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

 

While there are many organisations recruiting for a DPO the skills specifications of these posts vary enormously.  Some organisations appear to be under the illusion that the role of a DPO is primarily a technical one and are searching for candidates with a strong IT background. While there is certainly a need for the DPO to understand the ways in which data is processed, stored and disposed of the emphases within the GDPR are on regulation, governance, advice, education and communication.

Does Your DPO have Legal Training?

Returning to the description of the DPO role within the regulation:

 

  1. To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;

 

This requires an ability to provide a clear interpretation of the law in lay terms – not only the GDPR and the forthcoming Data Protection Act, but the Privacy and Electronic Communications Regulations (which are also due to change soon too), the Human Rights Act and others and how they collectively intersect.

 

  1. To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

 

Once again we can see that this requires an organisation to consult the DPO to determine whether processing data in a particular way will be legally compliant. It has sometimes been the case that what appears to be beneficial to a business from a commercial standpoint and which is technically feasible cannot be undertaken because to do so would be to flout the regulations, either knowingly or unknowingly.  The DPO will be responsible for examining the proposed processing and deciding whether or not it will fit into the permitted parameters of the legislation. As the point of contact for the ICO, he or she should build relationships within the ICO and consult with that body as a matter of course.

 

  1. To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;

 

A controller must, taking into account developing technologies and the nature and scope of the processing, conduct a data protection impact assessment (also known as a Privacy Impact Assessment or PA) to determine, amongst other factors, whether the processing will pose a high risk to the rights and freedoms of natural persons. The controller shall seek the advice of the DPO, where designated, when carrying out a data protection impact assessment.

 

Should it be determined that there such a risk, Article 36 states that the controller must consult with the ICO prior to commencing any such processing. The ICO may take up to 14 weeks to reach a decision, depending on the complexity of the proposed processing.  It is in circumstances such as these that a DPO will advise on mitigating the risk in the proposed processing and consult with the ICO on the controller’s behalf.

 

  1. To cooperate with the supervisory authority;
  2. To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

 

Points 4 and 5 can be rolled together and are self-explanatory.

 

Conclusion

 

The role of Data Protection Officer is far more suited to an individual with an overall understanding of the elements of data processing and an ability to apply the law to processes involving personal information than it is to someone with advanced technical or operational managment abilities but much less knowledge of the law.

 

For all that it deals with data, GDPR is a legal instrument that calls for some interpretation when applied to the many ways in which data is processed. To consider the application of the law in a business environment also requires a background in how business decisions affect operational performance and where a line can be drawn between legality and illegality. Part of the DPOs role is to ensure that an organisation can function efficiently while keeping on the right side of that line.

 

Need some help? Call us on 01244 300413 or email support@lawhound.co.uk We offer a No Obligation FREE Chat to help you work out what is best for you to comply with GDPR

 

Share this: