Data protection officers WP29: guidelines
When the GDPR comes into force in May 2018, it will be mandatory for certain data controllers and processors to designate a Data Protection Offcer (DPO).
The backgroundWhen the GDPR comes into force in May 2018, it will be mandatory for certain data controllers and processors to designate a Data Protection Offcer (DPO). This will be the case for all public authorities, and for other organisations that:
• regularly and systematically monitor individuals on a large scale as a core activity, and/or
• process special categories of personal data and/or data relating to criminal records on a large scale.
The guidelines
The guidelines recommend that, unless it is obvious that an organisation is not required to designate a DPO, controllers and processors should document the internal process they carry out to determine whether a DPO should be appointed. When an organisation appoints a DPO on a voluntary basis, the same requirements under the GDPR apply to them as if their appointment was mandatory (eg independence, freedom from unfair dismissal, publication of contact details etc).
Definitions
“Public authority or body”: national, regional and local authorities and private organisation carrying out public tasks/exercising public authority.
“Core activities”: the key operations necessary to achieve the controller/processor’s goals (eg the core activity of a hospital is healthcare). So activities which are “an inextricable part” of the controller’s pursuit of its goals are covered.
“Large scale”: not defined in the GDPR, but WP29 recommends considering the following factors: the number of data subjects concerned; the volume of data being processed; the duration or permanence of the data being processed; and the geographical extent of processing. Examples of large scale processing includes the processing of personal data for behavioural advertising by a search engine and the processing of data (content, traffc, location) by a telco or ISP.
“Regular and systematic monitoring”: again, not defined in the GDPR, but the guidelines say it includes all forms of tracking and profiling on the internet, including for online behavioural advertising, locating tracking, fitness/health data tracking, CCTV and connected smart devices. The concept of monitoring is not limited to the online environment.
Expertise and skills of the DPO
Article 37(5) GDPR provides that the DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”. The Guidelines suggest that the level of expertise should be commensurate with the sensitivity, complexity and amount of data an organisation processes.
The DPO’s role
Pursuant to the GDPR, DPOs should:
• be involved in all data protection issues
• be given the resources necessary to carry out their tasks
• assist the controller/processor to monitor internal compliance
• have due regard to the risk associated with the processing operations
• provide advice to the controller/processor where requested regarding any data protection impact assessment.
DPOs should not:
• be instructed in how to deal with a matter, eg being told what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority
• be dismissed or penalised for performing their duties.
The data controller/processor, not the DPO personally, is responsible for any noncompliance with the GDPR.
Why is this important?
Failure to appoint a DPO in circumstances where one is required is surely one of the quickest ways to breach the requirements of the new GDPR. If a business were to fail to do this, and then have a data breach, one can see a regulator quickly lining up a significant fine under the extended fining parameters (€20m or 4% of total worldwide annual turnover).
Any practical tips?
If the GDPR requires you to have a DPO, and you do not have one already, then you had better find one quick. Salaries tend to inflate in a high demand market …