EU data protection regulators have issued guidance on the new duty to appoint Data Protection Officers. This is one of the duties imposed on business by the EU General Data Protection Regulation, which takes effect in May 2018.
The guidance explains when businesses must appoint a DPO, who can be a DPO, and the DPO’s role. It also says that:
DPOs will not be personally responsible for GDPR compliance – that is the data controller or processor’s corporate responsibility; and
individuals and regulators must be able to easily, directly and confidentially contact DPOs.
In good news for business, the guidance suggests a common sense, pragmatic and risk-managed approach.
1. When must an organisation appoint a DPO?
The guidance interprets the GDPR’s main terms on when a DPO must be appointed, including:
core activities:
includes activities where data processing is an inextricable part of the controller’s or processor’s activity, eg. a hospital processing individuals’ data in order to provide healthcare.
monitoring on a large scale:
covers the activity of hospitals, municipal transport systems, tracking geolocation data, behavioural advertising and telephone or internet service providers. The regulators will publish examples of relevant thresholds.
regular and systematic monitoring of the data subject:
includes telecommunications networks, profiling like credit scoring, location tracking, including apps, behavioural advertising, CCTV and smart devices.
2. What kind of person can be the DPO?
The level of expertise isn’t strictly defined, but must match the type of data the organisation processes, the extent of its data processing and the type of data protection issues that arise.
There’s no nationality or residence requirement, but DPOs must have expertise in national and EU data protection law and practice, an in-depth understanding of the GDPR, and a sound knowledge of their organisation’s data processing.
The DPO can be external, and can also be a team of individuals, provided there’s a clear allocation of responsibilities and point of contact.
3. What are the organisation’s responsibilities regarding its DPO?
The DPO must be involved from the earliest possible stage in all data protection issues. In general, the more complex and/or sensitive the processing operations, the more resources must be given to the DPO.
There’s some guidance on the scope of instructions that organisations may give to their DPO, to preserve the DPO’s independence, and protections to prevent dismissal or penalties for diligently performing the DPO role.
The guidance advises organisations to avoid a conflict of interests by drawing up internal rules and positions. A DPO can’t also hold a position that leads him or her to decide how the organisation processes personal data.
The guidance is here.