Data Protection Officer under the GDPR

Scope of this note

The General Data Protection Regulation (‘GDPR’) which came into force on 25 May 2018, provides a modernised, accountability-based compliance framework for data protection in Europe. Data Protection Officers (‘DPO’s) are at the heart of this new legal framework for many organisations, facilitating compliance with the provisions of the GDPR.

When do you need to appoint a DPO?

Under the GDPR, there is a mandatory duty to appoint a DPO for a public authority or body (irrespective of what data you process), or an organisation whose core activities involves regular, systematic and large-scale monitoring of data subjects. The duty also applies to organisations processing special categories of personal data or data relating to criminal convictions and offences on a large scale.

Organisations that are not required to appoint a DPO may do so voluntarily. However, in making a voluntary appointment, an organisation will become liable for ensuring that the designation is consistent with the provisions of the GDPR.

Can the DPO be an existing employee?

Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests, you can appoint an existing employee as your DPO, rather than having to create a new post. You can also appoint a DPO who is external to the company.

Who is responsible for compliance?

DPOs are not personally responsible in case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller/processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions.

The controller/processor also has a crucial role in enabling the effective performance of the DPO’s tasks. Appointing a DPO is a first step, but DPOs must also be given sufficient autonomy, training and resources to carry out their tasks effectively.

Organisation role of the DPO   

The GDPR clearly intends for the DPO to play a key role in building data protection into the organisational culture. Article 38 requires that the DPO is involved, in a timely manner, in all issues relating to the protection of personal data. The WP29 Guidance suggests that the DPO plays a major role in embedding essential aspects of the GDPR into the organisational culture, from ensuring the data protection principles are respected to preserving data subject rights, recording data processing activities and ensuring the security of processing.

To do this, the GDPR requires that DPOs are provided with the necessary support and resources to enable them to effectively carry out their tasks. The GDPR contains some requirements in relation to the nature of these resources, and the WP29 Guidance sets out a number of additional factors that should be considered:

• Reporting to highest management level.

• Time for DPOs to fulfil their duties. This is particularly relevant for DPOs appointed on a part-time basis or external appointments.

• Adequate financial resources, infrastructure (premises, facilities and equipment) and staff where appropriate.

• Official communication of the designation of the DPO to make known the existence and function within the organisation.

• Access to other services, such as HR, IT and security, who should provide support to the DPO.

• Continuous training so that DPOs can stay up to date with regard to data protection developments.

• Where a DPO team is deemed necessary, a clear infrastructure detailing roles and responsibilities of each team member.

Tasks of the DPO

The ideal profile and tasks for a DPO will depend on the particular issues facing the organisation and the wider industry in which it operates. However, the GDPR Article 39 sets out a list of the tasks that a DPO should be expected to undertake as a minimum:

• To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.

• To monitor compliance with the GDPR, other relevant laws, and data protection policies in place, including managing internal data protection activities, raising awareness of data protection issues, training staff and conducting internal audits.

• To advise on, and to monitor, data protection impact assessments.

• To cooperate with the supervisory authority.

• To act as a contact point for the supervisory authority and for individuals whose data is being processed.

For all tasks, the DPO is required to have due regard for the risks associated with the processing operations.

Obligation to publish details of the DPO

The GDPR requires that contact details of the DPO are published and given to the ICO.

If you have any questions or enquiries about GDPR compliance, or would like advice tailored to your business, please feel free to contact our corporate and commercial team at enquiry@gulegal.org.

The material contained in this note is provided for general purposes only and does not constitute legal or other professional advice. Appropriate legal advice should be sought for specific circumstances and before action is taken.