Episode 11 – The Data Protection Officer (DPO)
In the past, under the soon to be defunct UK Data Protection act the DPO was essentially a name, a person the public contacted in the event that they wanted their name removed from a mailing list, and the Information Commissioners Office contacted each year to request their yearly fee. However under the soon to be enacted GDPR the role of the Data Protection Officer becomes much more robust and far reaching with the number of companies who will be required to appoint one vastly increased.
The GDPR devotes considerable text to the topic of Data Protection Officers. Articles 37,38 and 39 outline the requirement to have one, and their duties. Indeed such is the breadth of the requirement that the WP29 (the working party of EU member states, information commissioners) has produced additional detailed guidance to assist companies in their compliance with this requirement.
There are perhaps three questions which companies ask, and we will answer;
- Do I need a DPO?
- What qualifications should they have?
- What will they do?
Do I need a DPO?
The GDPR does lack some clarity with regards to when a DPO is required and when they aren’t. In the early drafts there was some concrete guidance, for example based upon the size of a company however these have been removed and the need for a DPO has been aligned with the risk based approach utilised throughout the GDPR.
In simplistic terms companies should ask themselves:
- Do your core activities consist of processing which requires regular and systematic monitoring of individuals on a large scale? yes/no
- Do your core activities consist of processing which is about special categories of data, on a large scale or about criminal convictions and offences? yes/no
- Are you a Public Body? yes/no.
If you are a public body / authority then yes, you must appoint a DPO.
If you answer Yes to Q1 or Yes to Q2 then you must appoint a DPO.
Key activities are defined as those activities necessary to achieve an organisations objectives, and also include all activities where data processing forms an inextricable part of the organisations activities.
When assessing scale, organisations should consider things like:
- The volume of data
- The number of data subjects concerned
- The geographical extent of the processing activity
- The duration or permanence of the processing activity.
Remembering that under the GDPR the term ‘processing’ covers just about anything you can do with data from capture and store it through to aggregate, predict, report and transmit etc.
Some countries mandate the appointment of Data Protection Officers in their own data protection laws, Germany for example has required companies appoint DPO’s for quite some time.
In a number of areas the GDPR adopts a very broad interpretation of the various points, the definition of processing being a good example [link to GDPR Blog Article Six – Basis for processing data.] If we adopt this same broad interpretation then a large number of companies who utilise SAP systems will need to appoint a DPO. The basis for this being that SAP has produced a number of excellent business systems over the years. Systems which have captured and process vast amounts of customer data and produced invaluable insight that has enabled companies to grow and serve their customers in ever more insightful and fulfilling ways. It is this vast reservoir of data, be it on customers or staff, coupled with innovative processing to produce insight, which would indicate the need for a DPO.
What will the DPO do and what qualifications should they have?
In defining the need for a DPO and their duties, Article 37 does not establish the precise credentials data protection officers must carry. It does require that they have “expert knowledge of data protection law and practices.” This would prompt many organisations to pass the ‘DPO Baton’ onto somebody legally qualified, however there should be a caution in doing so.
The GDPR’s recitals go on to suggest that the level of expert knowledge “should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”
Article 37 GDPR
In other words the DPO must have a very high level of knowledge and understanding of both the GDPR, its application upon the organisation and the systems (both IT and Non-IT) used by the organisation to process data. As such passing the GDPR Baton to somebody with solely legal qualifications would be a mistake.
Perhaps the most helpful resource with regards to the question of DPO qualifications and role functions was recently published by the Spanish Data Protection Authorities. It can be found here
The document lists 20 generic functions of a Data Protection Officer, and of those 20, only 4 require legal understanding / knowledge and none require a legal qualification. That’s not to say that DPO’s should not be qualified. The Spanish Data Protection Authority is in the process of developing a certification that all Spanish DPO’s will be required to hold, and it’s safe to assume that the other European Union Data Protection Authorities will follow suit. An ideal solution would be for the European Commission to develop criteria for DPO certification which would be valid across the European Union, and the International Association of Privacy Professionals is working with the European Commission to make that happen.
In addition to specifying a set of core responsibilities the GDPR also affords DPO’s with significant employment rights in line with their responsibilities.
DPO’s may insist upon company resources to fulfil their job functions and for their own ongoing training. They must have access to the company’s data processing personnel and operations, significant independence in the performance of their roles, and a direct reporting line “to the highest management level” of the company. Data Protection Officers are expressly granted significant independence in their job functions and may perform other tasks and duties provided they do not create conflicts of interest. Job security is another perk; the GDPR expressly prevents dismissal or penalty of the Data Protection Officer for performance of her tasks and places no limitation on the length of this tenure. If a company fails to comply with the GDPR, provided the DPO has acted correctly, they cannot be held accountable. The company bears the liability for non-compliance.
The requirement to appoint a Data Protection Officer is one of the more onerous requirements of the GDPR. For companies using SAP to manage their day to day operations the need to find somebody who is knowledgeable in the GDPR, can fulfil all of the DPO functions as outlined by the Spanish Authorities and in addition has a knowledge and understanding of the SAP systems used by the company will be a challenge. Indeed it may well produce a new calibre of Consultant within the SAP world. Clearly many of the large consulting firms will begin to model their German counterparts and offer DPO services, if only because the number of suitably qualified and knowledgeable individuals will be difficult to source. The GDPR does permit the use of ‘DPO as a service’ and this may be an easy means for companies to comply with this particular aspect of the GDPR.
Your Journey to GDPR Compliance Series – Missed an Episode? Catch up on demand below:
Stephen Lofthouse MSc BSc PGCLTHE FHEA is a GDPR Consultant with Proceed and a member of the International Association of Privacy Professionals. He is an award-winning SAP mentor who has worked globally for a number of years both commercially and in academia.