What the GDPR says about the role of the Data Protection Officer
The data protection officer shall have at least the following tasks:
- To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- To cooperate with the supervisory authority;
- To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
We’ll break all of this down into reader-friendly English later (one comment about the GDPR is that it’s such a long document with so many cross-references that one has to absorb oneself in it for a few days to get a true feel for it).
Article 38 sets out what the DPO must have once appointed, including resources and ready access to senior management (at board level) and the autonomy required to fulfil the role without interference.
- The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
- The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
- The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
- Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
- The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
- The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
- To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
This requires an organisation to consult the DPO to determine whether processing data in a particular way will be legally compliant. It has sometimes been the case that what appears to be beneficial to a business from a commercial standpoint and which is technically feasible cannot be undertaken because to do so would be to flout the regulations, either knowingly or unknowingly. The DPO will be responsible for examining the proposed processing and deciding whether or not it will fit into the permitted parameters of the legislation. As the point of contact for the ICO, he or she should build relationships within the ICO and consult with that body as a matter of course.
- To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
A controller must, taking into account developing technologies and the nature and scope of the processing, conduct a data protection impact assessment (also known as a Privacy Impact Assessment or PA) to determine, amongst other factors, whether the processing will pose a high risk to the rights and freedoms of natural persons. The controller shall seek the advice of the DPO, where designated, when carrying out a data protection impact assessment.
Should it be determined that there such a risk, Article 36 states that the controller must consult with the ICO prior to commencing any such processing. The ICO may take up to 14 weeks to reach a decision, depending on the complexity of the proposed processing. It is in circumstances such as these that a DPO will advise on mitigating the risk in the proposed processing and consult with the ICO on the controller’s behalf.
- To cooperate with the supervisory authority;
- To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
Points 4 and 5 can be rolled together and are self-explanatory.
You can go it alone, but if your business needs a DPO, aren’t you better having one that is not on the payroll?
Leave a Reply
You must be logged in to post a comment.