The EU General Data Protection Regulation requires certain organizations to appoint a data protection officer. Even where such an appointment is not mandatory, it is still advisable for organizations processing personal data to appoint a DPO. The European Data Protection Board, formerly the Article 29 Working Party, has said DPOs are the cornerstone for organizations in terms of GDPR compliance. The DPO must be involved in all issues concerning the protection of personal data in an organization at the earliest opportunity. DPOs may be internal or external. Due to the critical role that he or she plays, the GDPR requires that the DPO is allowed to exercise their functions independently. So, what exactly is the role of a DPO, and why is it necessary that they be independent?
Responsibilities of the DPO
The DPO is responsible for tracking compliance with the GDPR by the organization. In this role, they must collect information that identifies the processing activities that are taking place, ensure that those activities satisfy GDPR principles and advise the controller or processor accordingly. As such, the DPO plays a central role in record keeping concerning data protection in the organization. The role must create inventories and registers that detail the personal data processing operations of the various departments of the organization. Clearly, these records are not only necessary for the organization to comply with its overarching accountability obligations, but are also necessary for the DPO to perform their functions.
The DPO also plays an important role in advising the controller regarding issues concerning data protection impact assessment. The DPO should advise on whether to carry out the DPIA, what methods should be used in carrying out the DPIA and whether it is necessary to engage outside resources to carry out the DPIA. Upon completion of the DPIA, the DPO should advise on whether it has been carried out satisfactorily and how to proceed in view of its findings. If, for instance, significant risks have been identified in some processing operations, they should advise on whether those operations should be abandoned and what safeguards should be put in place to ensure compliance is achieved.
The DPO is the link between the organization, supervisory authorities and data subjects. They facilitate access by the supervisory authority to documents and information to enable it to perform its monitoring role, as well as exercise its investigative, corrective, authorization and advisory powers. It should be noted that the fact the DPO is bound by confidentiality obligations in the performance of their tasks does not preclude them from seeking advice from the supervisory authorities when necessary. In some situations, a careful balance will need to be struck between these two priorities. The DPO is also the contact point for data subjects on issues relating to the processing of their data, including enforcing their rights as provided for under the GDPR. It is important that the DPO can be easily accessed by the data subjects whether through telephone, mail or otherwise. Additionally, the DPO should advise and train employees of the organization on compliance with the GDPR.
In the performance of their duties, the DPO is required to adopt a pragmatic approach by focusing on high-risk processing activities. This should be done without neglecting activities that may be deemed to pose lower levels of risk. In this duty, the DPO should therefore advise the controller on the methodology of the DPIA, which activities require data protection audits and which ones should be the focus of management regarding enhanced security measures, regular training of staff and resource allocation.
Independence of the DPO and its importance
The GDPR envisages that the DPO performs their work in an independent manner. In other words, the controller should not direct the DPO regarding how they do their work. For example, the DPO cannot be instructed to reach a particular conclusion concerning the investigation of a complaint. The DPO should report to the highest level of management. Ideally this should be the board of directors. This is intended to ensure compliance with the regulations in the sense that management receives timely advice on matters of data protection. The reason for this independence is in recognition of the key role that the DPO plays in ensuring compliance with the regulation.
To achieve the autonomy required by the GDPR, the DPO must be afforded some form of job security. They cannot be dismissed or penalized by the controller or processor as a result of carrying out their duties. This does not mean that the DPO enjoys permanent job security or tenure. They may be disciplined or even terminated for other legitimate reasons, such as disciplinary turpitude. Further, availing the DPO with the necessary resources is not only key to enabling them to perform their duties, but also necessary to achieve the desired independence. The scale of resources depends on the complexity and sensitivity of the processing activities but would include finances, equipment and staff.
Further, care must be taken not to compromise the autonomy of the DPO by putting them in a position that may lead to a conflict of interest. This is more likely in cases where the DPO is internal. While it is permissible to assign the DPO with other tasks, these should, for instance, not require them to determine the means and purposes of processing the data, as this would blur their role with that of the controller.
It has been accurately observed that the DPO is the manifestation of the supervisory authority in an organization. The importance of the DPO in achieving compliance with the GDPR cannot be overstated; however, the DPO is not personally liable for noncompliance, as overall responsibility lies with the data controller. Any decision not to appoint a DPO must be signed off on at a senior level in the organization. In addition, failing to appoint a DPO where one is required may attract a fine of 10 million euros or 2% of annual global turnover, whichever is higher.
To achieve the strict obligations imposed on controllers and indeed processors under the GDPR, it is important that organizations processing personal data empower and embrace their DPOs and work closely with them, as opposed to viewing them as “nosy night watchmen.”
Photo by Helloquence on Unsplash