The DPO will have professional standing, independence, expert knowledge of data protection and, to quote the GDPR, be 'involved properly and in a timely manner' in all issues relating to the protection of personal data.
The DPC recommends that all organisations who will be required by the GDPR to appoint a DPO should do this as soon as possible and well in advance of May 2018. With the authority to carry out their critical function, the Data Protection Officer will be of pivotal importance to an organisation's preparations for the GDPR and meeting the accountability obligations.
A DPO may be a member of staff at the appropriate level with the appropriate training, an external DPO, or one shared by a group of organisations, which are all options provided for in the GDPR.
It is important to note that DPOs are not personally responsible where an organisation does not comply with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is in accordance with the GDPR. Data protection compliance is ultimately the responsibility of the controller or the processor.
Who needs a DPO?
- All public authorities and bodies, including government departments.
- Where the core activities of the organisation (controller or processor) consist of data processing operations, which require regular and systematic monitoring of individuals on a large scale.
- Where the core activities of the organisation consist of special categories of data (ie health data) or personal data relating to criminal convictions or offences.
Public Authority or Body?
Public authorities and bodies include national, regional and local authorities, but the concept typically also includes a range of other bodies governed by public law.
It is recommended, as a good practice, that private organisations carrying out public tasks or exercising public authority should designate a DPO.
Core activities can be defined as the key operations necessary to achieve an organisation's (controller or processor's) goals. For example, a private security company which carries out surveillance of private shopping centres and/or public spaces using CCTV would be required to appoint a DPO as surveillance is a core activity of the company. On the other hand, it would not be mandatory to appoint a DPO where an organisation undertakes activities such as payroll and IT support as, while these involve the processing of personal data, they are considered ancillary rather than core activities.
While the GDPR does not define large-scale the following factors should be taken into consideration;
- The number of individuals (data subjects) concerned - either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
Examples of large-scale processing include:
- processing of patient data in the regular course of business by a hospital
- processing of travel data of individuals using a city's public transport system (e.g. tracking via travel cards)
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
- processing of customer data in the regular course of business by an insurance company or a bank
- processing of personal data for behavioural advertising by a search engine
- processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
- processing of patient data by an individual doctor
- processing of personal data relating to criminal convictions and offences by an individual lawyer
Regular and systematic monitoring
Regular and systematic monitoring should be interpreted, in particular, as including all forms of tracking and profiling on the internet, including for behavioural advertising. However, the definition of monitoring is not restricted to the online environment. Online tracking is just one example of monitoring the behaviour of individuals.
'Regular' is interpreted by the Working Party 29 (comprising the EU's data protection authorities) as meaning one or more of the following:
- Ongoing or occurring at particular intervals for a particular period
- Recurring or repeated at fixed times
'Systematic' is interpreted as meaning one or more of the following:
- Occurring according to a system
- Pre-arranged, organised or methodical
- Taking place as part of a general plan for data collection
- Carried out as part of a strategy
Examples would likely include operating a telecommunications network; data driven marketing activities; profiling and scoring for purposes of risk assessment (eg fraud, credit scoring, insurance premiums); loyalty programmes, CCTV, and connected devices (eg smart cars)
Special Categories of Data - these include personal data revealing; racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation or personal data relating to criminal convictions and offences.
Further information and guidance
Further information and guidance on the Data Protection Officer role is set out in the guidelines of the Working Party 29. In particular, these guidelines set out the position of the EU's data protection authorities on matters such as:
- Designation of a single DPO for several organisations
- Expertise and skills of the DPO
- Role, tasks, responsibilities and independence of the DPO
- Resources that should be provided to a DPO to carry out their tasks
Article 37.5 of the GDPR provides that a Data Protection Officer "shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39."
The GDPR does not define the professional qualities required or prescribe the training a DPO should undergo to be qualified to undertake the role. This allows organisations to decide on their DPO's qualifications and training tailored to the context of the organisation's data processing.
The appropriate level of qualification and expert knowledge should be determined according to the personal data processing operations carried out, the complexity and scale of data processing, the sensitivity of the data processed and the protection required for the data being processed.
For example, where a data processing activity is particularly complex, or where a large volume or sensitive data is involved (i.e. an internet or insurance company), the DPO may need a higher level of expertise and support.
Relevant skills and expertise include: expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR; understanding of the processing operations carried out; understanding of information technologies and data security; knowledge of the business sector and the organisation; and ability to promote a data protection culture within the organisation. For example, a DPO may need an expert level of knowledge in certain specific IT functions, international data transfers, or familiarity with sector-specific data protection practices such as public sector data processing and data sharing, to adequately perform their duties.
Taking into account the scale, complexity and sensitivity of their data processing operations, organisations should proactively decide on the qualifications and level of training required for their Data Protection. Officer.
In undertaking such an assessment, organisations should be aware that there are various training options that may be pursued. Some training courses are one-day sessions, while some are online only. Others lead to academically
accredited certificates such as diplomas from national law societies. There are also other professional training programmes which are recognised internationally and that offer professional qualifications that require an ongoing commitment to training in order to maintain the professional qualification.
The Data Protection Commissioner recommends that the following non-exhaustive list of factors be taken into consideration when selecting the appropriate DPO training programme:
- the content and means of the training and assessment;
- whether training leading to certification is required;
- the standing of the accrediting body; and
- whether the training and certification is recognised internationally.
In any case, a Data Protection Officer should have an appropriate level of expertise in data protection law and practices to enable them to carry out their critical role.
Conflict of Interests
It is important to take into account that while a DPO is permitted to fulfil other tasks and duties, the organisation is required to ensure that any such tasks and duties do not result in a conflict of interests. This is essential to protecting the independence of the DPO. In particular, it means that a DPO cannot hold a position in an organisation where they have the authority to decide the purposes for which personal data is processed and the means by which it is processed.
While each organisational structure should be considered case by case, as a rule of thumb, conflicting positions within an organisation may include senior management positions such as chief executive, chief operating/financial/medical officer, head of HR or head of IT). The WP 29 guidelines address this matter in further detail.
Publication and communication of the DPO's contact details
Organisations will be required by the GDPR to publish contact details of the DPO and to communicate these details to the relevant data protection authority. The purpose of this requirement is to ensure that individuals (internal and external to the organisation) and the data protection authority can easily and directly contact the DPO without having to contact another part of the organisation. Further guidance is included in the WP 29's guidelines.
To assist organisations in communicating the contact details of their DPO to the Data Protection Commissioner, an online portal on the DPC website is being developed and will be rolled out in 2018.