TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout
PrivacyTraining_ad300x250.Promo1-01

""

The EU General Data Protection Regulation requires certain organizations to appoint a data protection officer. Even where such an appointment is not mandatory, it is still advisable for organizations processing personal data to appoint a DPO. The European Data Protection Board, formerly the Article 29 Working Party, has said DPOs are the cornerstone for organizations in terms of GDPR compliance. The DPO must be involved in all issues concerning the protection of personal data in an organization at the earliest opportunity. DPOs may be internal or external. Due to the critical role that he or she plays, the GDPR requires that the DPO is allowed to exercise his or her functions independently. So, what exactly is the role of a DPO, and why is it necessary that they be independent?

Responsibilities of the DPO

The DPO is responsible for tracking compliance with the GDPR by the organization. In this role, they must collect information that identifies the processing activities that are taking place, ensure that those activities satisfy GDPR principles and advise the controller or processor accordingly. As such, the DPO plays a central role in record keeping concerning data protection in the organization. The role must create inventories and registers that detail the personal data processing operations of the various departments of the organization. Clearly, these records are not only necessary for the organization to comply with its overarching accountability obligations, but are also necessary for the DPO to perform their functions.

The DPO also plays an important role in advising the controller regarding issues concerning data protection impact assessment. The DPO should advise on whether to carry out the DPIA, what methods should be used in carrying out the DPIA and whether it is necessary to engage outside resources to carry out the DPIA. Upon completion of the DPIA, the DPO should advise on whether it has been carried out satisfactorily and how to proceed in view of its findings. If, for instance, significant risks have been identified in some processing operations, they should advise on whether those operations should be abandoned and what safeguards should be put in place to ensure compliance is achieved.

The DPO is the link between the organization, supervisory authorities and data subjects. They facilitate access by the supervisory authority to documents and information to enable it to perform its monitoring role, as well as exercise its investigative, corrective, authorization and advisory powers. It should be noted that the fact the DPO is bound by confidentiality obligations in the performance of their tasks does not preclude them from seeking advice from the supervisory authorities when necessary. In some situations, a careful balance will need to be struck between these two priorities. The DPO is also the contact point for data subjects on issues relating to the processing of their data, including enforcing their rights as provided for under the GDPR. It is important that the DPO can be easily accessed by the data subjects whether through telephone, mail or otherwise. Additionally, the DPO should advise and train employees of the organization on compliance with the GDPR.

In the performance of their duties, the DPO is required to adopt a pragmatic approach by focusing on high-risk processing activities. This should be done without neglecting activities that may be deemed to pose lower levels of risk. In this duty, the DPO should therefore advise the controller on the methodology of the DPIA, which activities require data protection audits and which ones should be the focus of management regarding enhanced security measures, regular training of staff and resource allocation.

Independence of the DPO and its importance

The GDPR envisages that the DPO performs their work in an independent manner. In other words, the controller should not direct the DPO regarding how they do their work. For example, the DPO cannot be instructed to reach a particular conclusion concerning the investigation of a complaint. The DPO should report to the highest level of management. Ideally this should be the board of directors. This is intended to ensure compliance with the regulations in the sense that management receives timely advice on matters of data protection. The reason for this independence is in recognition of the key role that the DPO plays in ensuring compliance with the regulation.

To achieve the autonomy required by the GDPR, the DPO must be afforded some form of job security. They cannot be dismissed or penalized by the controller or processor as a result of carrying out his or her duties. This does not mean that the DPO enjoys permanent job security or tenure. They may be disciplined or even terminated for other legitimate reasons, such as disciplinary turpitude. Further, availing the DPO with the necessary resources is not only key to enabling them to perform their duties, but also necessary to achieve the desired independence. The scale of resources depends on the complexity and sensitivity of the processing activities but would include finances, equipment and staff.

Further, care must be taken not to compromise the autonomy of the DPO by putting them in a position that may lead to a conflict of interest. This is more likely in cases where the DPO is internal. While it is permissible to assign the DPO with other tasks, these should, for instance, not require them to determine the means and purposes of processing the data, as this would blur their role with that of the controller.

It has been accurately observed that the DPO is the manifestation of the supervisory authority in an organization. The importance of the DPO in achieving compliance with the GDPR cannot be overstated; however, the DPO is not personally liable for noncompliance, as overall responsibility lies with the data controller. Any decision not to appoint a DPO must be signed off on at a senior level in the organization. In addition, failing to appoint a DPO where one is required may attract a fine of 10 million euros or 2% of annual global turnover, whichever is higher. 

To achieve the strict obligations imposed on controllers and indeed processors under the GDPR, it is important that organizations processing personal data empower and embrace their DPOs and work closely with them, as opposed to viewing them as “nosy night watchmen.” 

Photo by Helloquence on Unsplash

12 Comments

If you want to comment on this post, you need to login.

  • comment Tim Bell • Aug 28, 2019
    Thanks Dyann, this is an important area and one in which I expect to see more issues where companies have declared a DPO who doesn't have sufficient experience,  independence and/or authority to properly undertake the role. 
    
    One other matter to remember on the subject of independence: if a company requires an EU Representative as a result of Article 27 of GDPR (where they have no EU office), if they have appointed an external DPO they should appoint a different company to the role of Representative, to ensure no conflict of interest (in line with EDPB guidance 03/2018).
  • comment Douglas Egan • Aug 29, 2019
    Excellent article Dyann. Thank you. I enjoyed your presentation in the iapp Webinar, "The Role of the DPO One Year Into the GDPR" as well.
  • comment Athanasios Michalopoulos • Aug 30, 2019
    The role of the DPO vrey much resembles the role of the compliance officer that financial institutions and other regulated entities have had for many years now. The cornerstone for the DPO to be able to perform his/her duties, is to identify process owners and conduct thorough process mapping to identify the risks. And it will be the responsibility of the process owners to update their processes when required
  • comment Simon Hania • Aug 31, 2019
    2 misconceptions in the article: (1) It is not the obligation of the DPO to maintain the records of processing: that is a controller obligation. Of course the DPO needs to verify they exist and are accurate. (2) Honouring data subject rights is a controller obligation as well, not a DPO duty. Again, the DPO should monitor this.
    
    Recognising these topics are controller obligations is relevant, because they have impact on potential conflicts of interest and independence. If a DPO executes these obligations he/she would do so tasked by the controller and hence the DPO would monitor himself/herself for GDPR compliance wrt these duties. A conflict of interest could arise in case of issues raised by data subjects regarding honouring these rights.
    
    Further with respect to independence: my advice is for any controller to define a written DPO charter or policy document, in which responsibilities, accountabilities and tasks are laid down, especially taking into considerstion other his/her other tasks in case the DPO is a part-time role.
  • comment Vincent Renaud • Sep 3, 2019
    Very interesting article, thank you. Having discussed with many fellow DPOs from various industries, the recognition and level of independence a DPO enjoys seem to be based on the size of the organization they work for and its stance over privacy matters. The smaller the organization, the more likely the DPO will be very hands-on with documentation of processing activities or DSARs. The bigger the organization, the more he or she will have to delegate and advise. I also find interesting that DPOs generally have a background in either legal, Infosec or data management. This background defines the angle from which they tackle the implementation of the various data protection laws within their organization.
    Having said all that, I am very curious to see the details of fines arising from companies that decided to not follow the advice of their DPO.
  • comment Bastian Cremer • Sep 5, 2019
    Really want to support Simon's observations. Most DPOs will take a proactive stance and support the controller with business-oriented advice and even hands-on in all privacy related matters anyway. It is paramount, however, to acknowledge, communicate and document (think RACI matrix) within the organization that ultimately controller obligations - such as creating and maintaining records of processing and handling data subject rights - are not DPO obligations.
  • comment Karen Sermon • Sep 5, 2019
    I enjoyed reading this article. I support both Simon's and Bastien's stance.  Independence is definitely a tough area for the smaller and mid-sized organisation.  It can also present a challenge for a DPO where there is a lack of resourcing or management buy-in to the organisation's responsibilities as a Data Controller.  Improving the independence situation is achievable here but solid, consistent and constant advice, and much hand-holding, is needed to help the organisation to understand and ultimately meet its obligations.
  • comment Mark Sherwood-Edwards • Sep 7, 2019
    There is a fundamental (and common) mistake in this article, and it’s this sentence:  “The DPO should report to the highest level of management”.  Yes, the phrase “report to” exists in the English version of the GDPR,  and it’s confusing because it mixes up the two meanings or “report to”.  Meaning 1:  provides reports and information to.  Meaning 2: takes instructions from.  The GDPR intends Meaning 1, and not Meaning 2.  That is evident from the same Article of the GDPR: “The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks” and also from non-English versions of the GDPR.  Here’s the Spanish version of the “report to” sentence: El delegado de proteccion de datos rendira cuentas directamente al mas alto nivel jerarquico del responsable o encargado.
    
    That means that the DPO is not part of the executive.  He or she is a non-executive, and the closest analoguous role is that of a non-exec director: in this case, a non-exec director with a particular responsibility for data protection.  That means that the DPO should not be part of the executive of an organisation and, if he or she becomes part of the executive, he or she is making very hard to fulfill the role of DPO.
    
    A lot of people mix up the role of Chief Privacy Officer and GDPR DPO and use the terms interchangeably, but they are very different.  A CPO (or Head of Privacy, or equivalent) will typically be part of the executive and report to the CEO or the Board (Meaning 2).  A GDPR DPO is not part of the executive and does not report to anyone (Meaning 2): he or she provides information to the Board.  To put it another way: the DPO is not the head of privacy in an organisation, in the same way as a non-exec is not the head of anything in an organisation.
    
    Where a person has the title of DPO in an organisation, and is also the head of privacy, then they can’t be a DPO in the GDPR sense.  They are in an impossible conflict: as head of privacy, they have to execute the decisions of the CEO or the Board (as does the CFO, the COO and everyone else in the organisation).  A GDPR DPO they have to review and sign off on the actions they have taken head of privacy.  That’s not workable.
    
    Everyone likes the title of DPO, but you can’t be both a GDPR DPO and the head of privacy – you have to choose (and most organisation can’t afford both, let alone full time DPO).  
    
    Of course, you can be a DPO and not be a GDPR style DPO (despite what the EDPB says), but that’s a different story.
  • comment Emma Butler • Sep 9, 2019
    As someone who has been a DPO both in multinational and start-up / SME environments, reality is not as black and white as the law or those who interpret it sometimes suggest. You have to be pragmatic and achieve the law's outcomes, but that doesn't always mean you can follow the strict letter of the law or some of the binary interpretations of the DPO role. You can be 'head of privacy' and a GDPR DPO. Being 'head of privacy' means you lead on privacy compliance stuff. It doesn't mean you are a member of the board, it doesn't mean you are a member of the decision-making management team. It doesn't mean there is a conflict of interest. In a small company you don't have the luxury of a privacy team or office. The privacy person is hired to know about and advise on privacy, but also to get things moving with regards to actual practical compliance measures. There aren't other staff sat there with nothing else to do but draft policies, complete data inventories or respond to a rights request. It's much more about collaborative working in those environments. The business people still make the decisions. You achieve all the law's requirements and outcomes, but you don't split people into silos or binary roles to get there.
  • comment Keith Dewey • Sep 10, 2019
    Interesting comment from a GC (i.e. the lawyer) yesterday "I advise the business on their processes and contracts therefore I can't be independent of that, and can't be the DPO". I've not heard many GCs verbalise this stance. Although it tends to be less concerning than COOs/CTOs/CISOs putting the DPO hat on...
  • comment Dyann Heward-Mills • Sep 12, 2019
    I am pleased to learn of the level of interest and discussion on this topic, clearly an important subject for data practitioners!
     
    As explained in the article, DPO independence is mandated by law. That said, how DPOs execute their role is nuanced and evolving. In my view, balance is lost where one takes a binary position on the operational requirements of the role. Context is all important. In my experience the level of operational input required by a DPO depends on a number of factors including – size of organisation; complexity and risk associated with processing; maturity of privacy programme; and available resources (to name just a few). 
     
    The reality is, many DPOs are heavily involved in the operational side of organisations with the ultimate aim of data protection law compliance and protecting rights and freedoms of individuals. This does not necessarily mean they are conflicted or lack independence. As mentioned in the article, liability for non-compliance lies with the Controller. 
     
    At HewardMills we assist clients to create robust Records of Processing Activities (ROPAs) and comply with subject rights including Data Subject Access Requests (DSARs). However, ongoing responsibility for these tasks and decision making in relation to them lies with the organisation. 
     
    As an external DPO, we support clients to execute core operational tasks independently and without conflict or compromise. We are very involved in helping them mature their privacy programmes which includes practical, on the ground, operational support. Let’s face it there’s a lot to do and organisations need all the help they can find from skilled practitioners.
  • comment Mark Sherwood-Edwards • Sep 14, 2019
    I think the most helpful and common analogy is that of the CFO and the auditor.  A CFO could carry out the annual audit of her company’s accounting: after all, she is just a qualified as an auditor, and knows the company’s business better than an external auditor will.  However, she doesn’t.  Why not? Because she lacks independence, and asking her to audit her company is the same as asking someone to mark their own homework.