Under Article 37 of the General Data Protection Regulation (GDPR), all public authorities and bodies will be required to designate a Data Protection Officer (DPO). Private sector organisations that on a large scale as part of their core activities regularly and systematically monitor data subjects or process sensitive personal data will also have to appoint a DPO.
On December 16, the Article 29 Working Party (WP29) published its draft guidelines on the role of the DPO, clarifying its interpretation of the GDPR as it relates to the role of the DPO. One of the most significant changes in the GDPR is the requirement for controllers and processors to be able to demonstrate compliance with the Regulation. As the WP29 puts it, the DPO is “a cornerstone” of this principle of “accountability”.
That said, the WP29 emphasises that compliance is the controller’s or processor’s responsibility and DPOs are not personally responsible for compliance with the GDPR.
The terms “public authority or body”, “core activities”, “large scale” and “regular and systematic monitoring” aren’t defined in the GDPR, so the WP29 offers its interpretation and guidance on their meaning. In summary:
The WP29 considers that such a notion [“public authority or body”] is to be determined under national law. Accordingly, public authorities and bodies include national, regional and local authorities, but the concept, under the applicable national laws, typically also includes a range of other bodies governed by public law.
‘Core activities’ can be considered as the key operations to achieve the controller’s or processor’s objectives.
Regular and systematic monitoring of data subjects ... clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment.
Factors to be considered when deciding whether processing is “large scale” include the number of data subjects, the volume & range of data, duration of data processing and geographical extent of data processing. A simple example given is the processing of healthcare related data by an individual doctor (not large scale), or by a hospital (large scale).
The WP29 goes on to recommend that, unless a DPO is obviously not required, controllers and processors should document the analysis and process leading to their decisions whether or not to appoint a DPO.
DPOs may be appointed on a voluntary basis, but where they are, the same GDPR requirements regarding their designation, role and tasks will apply as to mandatory DPO appointments. Therefore, where organisations don’t appoint a DPO but do, as they may, assign data protection related tasks to their staff or external consultants, it should be made clear internally and externally that such staff or consultants are not DPOs.
The GDPR provides that DPOs “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks [set out in the Regulation]”. There is no particular qualification or certification specified in the Regulation, but the WP29 considers the necessary skills and expertise to include:
expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
understanding of the processing operations carried out;
understanding of information technologies and data security;
knowledge of the business sector and the organisation;
ability to promote a data protection culture within the organisation.
The role of the DPO may be contracted out to an external service provider and, where it is, the DPO may be a natural person or a legal person (e.g., a limited company). In the latter case, the WP29 recommends that for reasons of legal clarity and good organisation, the contractor should designate a named person as the lead contact for the client.
The DPO does not necessarily have to be a full time role, but as the WP29 put it, “the DPO’s primary concern should be enabling compliance with the GDPR” and “having sufficient time to devote to DPO tasks is paramount”.
Where DPOs have other duties, these cannot be incompatible with their DPO functions. Examples given by the WP29 of roles which would conflict with the DPO's duties include:
Chief Executive Officer;
Chief Operating Officer;
Chief Financial Officer;
Chief Medical Officer;
Head of Marketing;
Head of Human Resources;
Head of IT.
The latter, while well flagged, will be problematic for many of our clients. Historically, data protection compliance has by default landed on the desks of IT Managers. Where an organisation appoints a DPO, this will no longer be an option.
The WP29 draft guidelines are very extensive and provide welcome clarity as to its expectations regarding the appointment and duties of DPOs. It has also published draft guidelines on the right to data portability and identifying a controller or processor’s lead supervisory authority. It invites submissions on these, to be received by the end of January 2017. It has also indicated it intends to publish guidelines on the Data Protection Impact Assessment and certification of controllers and processors in 2017.