In this article, Eimear Boyle explains when a DPO is required and the scope of their role.
Who needs to consider appointing a DPO in their business/organisation?
- Public authorities/bodies; or
- Controllers or processors whose core activities consist of regular and systematic monitoring of data subjects on a large scale; or
- Controllers or processors whose core activities consist of the processing on a large scale of special category/sensitive personal data and personal data relating to criminal convictions.
(See Article 37 (plus Articles 9 and 10) for further reference)
How to decide who to appoint/designate?
Remember that a DPO may be an employee or an independent contractor but, regardless, must be free from conflicts of interest in their work as DPO. Also, a single DPO may be shared by more than one public authority/body; likewise, a corporate group may also share a single DPO. In doing so, consideration should be had for the accessibility of the DPO and the organisational size and structure.
(See Article 37 (2) and (6) for further reference)
Consider first that the DPO will be responsible for the following under the GDPR:
- Informing, advising and monitoring the controller or processor and their employees of their compliance obligations under the GDPR;
- Advising and monitoring data protection impact assessment(s) (DPIA);
- Liaising with the Data Protection Commissioner (DPC) generally and cooperating with them specifically in respect of DPIA(s) requiring prior consultation with the DPC (please see Article 36 for further reference); and
- Always being cognisant of the risks associated with processing operations, which, from a pragmatic point of view, suggests that a DPO’s focus should be on higher risk areas.
The controller or processor may of course add to these tasks and they are simply the minimum tasks outlined in the GDPR.
(See Article 39 for further reference)
Now consider what the GDPR says about the position of the DPO:
- The DPO must be front and centre in all personal data protection matters and report directly to the highest management of the controller or processor;
- They must receive the requisite support and resources from the controller and processor, however, they may not receive instructions from the controller and processor in how they conduct themselves but be fully independent in the performance of their tasks;
- The DPO cannot be dismissed or penalised for performing their tasks;
- The DPO is bound by confidentiality in accordance with EU or Irish law;
- Whilst the DPO is permitted to have another role, the controller or processor is responsible for ensuring that no conflicts arise in respect of such role(s) and the DPO’s data protection obligations; and
- The contact details of the DPO must be published and communicated to the DPC by the controller or processor.
(See Articles 37 and 38 for further reference)
- The GDPR makes no reference to any personal liability for a DPO in the event of non-compliance with the GDPR (the processor or controller is responsible for compliance); and
- It is recommended that the DPO be located in the EU.
Non-exhaustive DPO job description:
- Primary responsibility for developing, updating and monitoring the organisation’s data processing compliance practices in order to ensure compliance in accordance with the GDPR and all EU and Irish data protection legislation, beginning with an inventory of all data;
- Create and/or update and maintain a register identifying all of the organisation’s processing operations, having consulted exhaustively with all relevant departments;
- Conduct an in-depth DPIA on processing operations;
- Inform, advise and issue recommendations to the controller or processor;
- Strictly autonomously and independently in pursuit of privacy by design, advise the controller on which areas should be internally/externally audited (from a data protection perspective), which internal training programmes would be advantageous for staff and which processing operations merit more time and resources, mostly focusing on the higher-risk areas of an organisation’s practices;
- Ensure privacy forms part of all business strategies and that all employees are trained in relation to GDPR awareness;
- Advise the controller on DPIA(s), more particularly, whether to conduct a DPIA and, if so, what methodology to follow, whether the DPIA should be conducted in-house or outsourced, what safeguards apply in respect of the risks to data subjects and to assess whether or not the DPIA has been correctly carried out and whether its conclusions are GDPR compliant;
- Facilitate access by the Data Protection Commissioner (DPC) to any information required by the DPC in the course of its supervisory function;
- Promote the privacy by design ethos throughout the organisation; and
- Regularly and at least quarterly report directly to the organisation’s board of directors.
At Crowley Solicitors, we are available to assist your organisation to accelerate its GDPR readiness. Do not hesitate to contact any member of our team.
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Legal advice should always be taken before acting on any of the matters discussed.