The GDPR is ‘creating jobs’. A likely 75,000 people worldwide will be appointed Data Protection Officer (DPO) during 2018. A commensurate number of organisations will be required to come to terms with what it means to accommodate this new breed of data security official. The role has been well established in German law for more than a decade. It is a novelty most everywhere else.
This DPO has board-level lines of communication, responsibilities to the public and regulators, and now exists in every organisation that handles personal data relevant to the authority of the GDPR.
Their job is to make sure that your organisation remains compliant with the GDPR and all other relevant data protection legislation. However, they are broadly unaccountable to management, their remit extends to every aspect of public data use within your organisation, and their primary responsibility is to the public and the regulator — not your bottom line.
This article is a guide to the DPO. It will explain what you need to understand to either appoint a DPO or begin to take on the responsibilities yourself.
The Scope of the DPO
The DPO’s primary responsibility is to help your organisation remain compliant with the GDPR and other relevant regulatory statutes. The DPO needs to understand every facet of public data use within your organisation (how it is collected, used, stored and disposed of) and how these practices align with all relevant data protection legislation and requirements.
It is important to note that these responsibilities extend beyond the large-scale, systematic and special category data that required their appointment as stipulated in Article 37 of the GDPR. Once you qualify for GDPR coverage, higher standards are applied to related areas that would not have otherwise required the scrutiny of a DPO.
A DPO needs a detailed understanding of data protection laws. They need to become intimately familiar with the technical specifics of how data flows throughout your organisations. Their selection, however, should be approached with caution. Once appointed, a DPO is no longer directly accountable to management.
The DPO is, first and foremost, a customer advocate. They are not prevented by confidentiality agreements from contacting regulators about unmitigated data privacy risks. In fact, they are encouraged to do so. They are legally protected from dismissal or penalisation for carrying out their obligations under the GDPR. This includes threats and actions.
You are prohibited from supplying the DPO with instructions on how and when to carry out their job. You are required to supply your DPO with adequate resources to undertake their responsibilities as outlined in the GDPR.
Failure to comply with the DPO requirements set out in the GDPR may result in fines of up to €10 million or 2% of global turnover, whichever is greater. However, failure to comply with the data protection requirements of the GDPR can result in fines of up to 4% of annual turnover or €20 million, whichever is greater. It is important to take the role of DPO seriously. They are primarily there to help you comply with those GDPR requirements and prevent catastrophic failure.
- The DPO is responsible for understanding an organisation’s compliance liabilities, monitoring outcomes and making suggestions for improvement.
- The DPO is encouraged to report any unmitigated risks to the relevant regulatory authorities.
- The DPO is legally protected from penalisation for carrying out their responsibilities and cannot be provided instructions on how to best undertake their job.
- The DPO must be provided with adequate resources to undertake their responsibilities.
Organisational Responsibilities to the DPO
It is an organisation's responsibility to support and aid their DPO. That means a requirement to:
- Involve the DPO closely and regularly in all data protection matters.
- Provide lines of communication to the highest levels of management and/or the board.
- Allow the DPO to operate independently and free from dismissal or penalisation.
- Provide sufficient (time, financial, infrastructure and staff) resources to adequately complete their GDPR obligations.
- Provide access to additional training materials.
- Provide access to personal data and processing activities.
- Seek the advice of the DPO when conducting a DPIA [Data Protection Impact Assessment — see below].
- Record the input of the DPO.
The DPO is an independent function within your organisation. The DPO is not themselves responsible for GDPR or other data protection compliance. They are an advisor. The liability for compliance remains with the organisation holding or processing the data. A DPO’s advice is not binding, however, it is prudent to document why the suggestions of a DPO have been overruled.
The DPO must have direct lines of communication to the highest levels of management and/or the board. They should be consulted for any project developments involving the use of public data. Their contact details need to be available to the relevant regulators, the public, and supplied to everyone impacted by a data breach should one occur. The regulator needs to be able to contact the DPO without alerting other functions within your organisation.
- The DPO should be consulted for any projects involving the use of public data.
- The advice of a DPO is not binding, but the reason for ignoring it should be recorded.
- The DPO is an advisor, not the liable party.
- The DPO must be provided with clear lines of communication to the highest levels of management and/or the board.
- The DPO’s contact information must be available to the public and relevant regulators
The Role of the DPO
The actual day-to-day activities of the DPO will be proportional to the size of your data collection activities and how often they are subject to change. Most of the responsibilities of the DPO pertain to the assessment of new or altered data projects. Even some large companies will only require several dozen hours of active DPO oversight every month.
However, a DPO needs to be available at all time. This availability extends to all departments within your organisation, management, relevant regulators and the public. The DPO should be consulted internally on all data protection matters, and is a first point of contact for members of the public inquiring as to the use of their data within your organisation.
Regardless of how much time the fulfilment of these responsibilities takes, the outcome needs to be an understanding of the data protection liabilities within your organisation and the reduction of risk as much as is possible and reasonable.
The GDPR explicitly states that the DPO is to:
- Inform and advise on data protection obligations under GDPR, and all other relevant data protection regulations.
- Monitor organisational compliance with GDPR. That includes understanding how data processing responsibilities are assigned, how data is collected, what it is used for and how it is disposed.
- Perform audits to ensure maintenance of quality standards.
- Ensure the adequate training of all staff involved in data processing.
- Maintain records of all data processing activities and reviews.
- Carry out Data Protection Impact Assessments (DPIA).
- These must be undertaken for all data processing that is “likely to result in a high risk” to individuals, or if there is a change in processing procedures.
- DPIAs cover the nature, scope, purpose and context of the data processing, assess any risks to individuals and make suggestions for mitigation [see subsection].
- Serve as a contact point for data protection authorities.
Organisations are legally required to supply their DPO with sufficient resources to carry out their responsibilities appropriately. This includes training programs, staff, time, infrastructure and financing.
What is the Role of the DPO? — The Undertaking of Data Protection Impact Assessments (DPIA)
One of the primary roles and responsibilities of a DPO is to undertake Data Protection Impact Assessments (DPIA). This is a set of inquiries designed to determine the risks to data protection posed by any new or existing project using public data. Staff other than the DPO can take the lead on conducting a DPIA. However, legally, the DPO must be consulted throughout the process.
In brief, a DPIA should:
- Describe the nature, scope, purpose and context of the data processing in question.
- Assess the necessity of said data use in proportion to compliance measures.
- Identify and assess the risks to individuals.
- Identify any additional measures your organisation could take to mitigate those risks.
A DPIA must consider both the severity and likelihood of any impact. There is not an obligation to remove risk altogether. The requirement is to minimise risks and display how the remaining risks are justified.
It is advisable to carry out a DPIA for any new or updated procedure involving the use of public data. There is, however, a legal requirement to undertake a DPIA when the processing risks of data are likely to be high. An effective DPIA will bring together broader compliance, financial and reputational factors to demonstrate accountability.
You should develop a risk assessment that will enable you to determine if a DPIA in necessary. You should then develop a core set of DPIA criteria to standardise DPIA implementation and allow for easy training procedures.
The DPIA is a key element of the increased focus on accountability and data protection put forward by the GDPR. You are not required to publish your DPIA under GDPR. However, there are benefits to publication. It demonstrates compliance and helps engender trust. The Information Commissioner’s Office (ICO) recommends publishing DPIA results whenever possible — removing sensitive details if necessary.
Summary: The Scope and Role of the DPO is to Independently Assess the Use of All Public Data within Your Organisation
One of the key expansions of responsibility within the GDPR is an emphasis on the need to demonstrate compliance. It is now incumbent on organisations to keep records, explain their decision making process, and show why they kept the personal data that they chose to process and how they are actively protecting that information. It is important for you to be able to demonstrate to a regulator that the best practices for data protection are being implemented.
On a basic level, the DPO is responsible for making sure that all data collection, retention and processing operations are undertaken with as little data as possible, data pseudonymisation is undertaken as much as possible, and that the purposes and reason for data processing operations are clearly stated and outway the risks. Your DPO is responsible for understanding data and understanding regulations. They are there to help your company remain complaint with the GDPR and other relevant regulations.
At a minimum, a DPO should help your organisation create a defensible position around data collection, processing and retention policies. This means being able to demonstrate to a regulator that your organisation has made efforts to obtain compliance (even if it hasn’t been achieved) and that you are actively working to improve the situation. This is done through creating an overview of where you are and where you need to be, and then documenting assessments, advice and actions.
The DPO, however, is fundamentally different than other compliance and data roles. Although they will use many of the same tools as your CIO, CISO or CDO, their primary drivers are different.
A primary goal of the DPO is really to ensure that only the minimum amount of data necessary is collected and retained about customers. This is often in opposition to the goals and aims of other data functions and potentially business interests.
The position pulls together a need for legal, compliance and technical expertise in a person who can make board presentations and may be required to do press conferences in the event of a breach. It is important to think about all of these aspects of the job when looking for the right person to appoint as DPO.