What does a DPO do? Does your organisation need one? What skills and qualifications should a DPO have? Who should they report to?
This report aims to answer these questions, and provides an insight into how DPOs comply with the GDPR, which came into force on 25th May 2018.
The main role of a DPO
A DPO should be an organisation’s privacy and consumer champion. They should take ownership of compliance and promote it, having a public-facing function representing the interests of Data Subjects (customers, subscribers, donors etc).
A DPO’s job is to identify and mitigate data protection risks; ensuring organisations are compliant with relevant regulation. They also act as the main point of contact with the regulatory data protection Authority.
The role involves promoting privacy awareness at the most senior level, as well as ensuring all staff are trained and know their data protection responsibilities and obligations. For example, do staff know what a data breach is, how to prevent a breach and what to do when one happens?
A DPO should be at the forefront of ensuring a Privacy by Design approach is adopted. One way of performing this role is to ensure relevant stakeholders undertake Privacy Impact Assessments when required.
The role should be independent, so the DPO can effectively scrutinise all business activities with a data protection element. GDPR states; “data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.”
The role must be supported by the organisation; the DPO must have adequate resources and training to fulfil their job. A financial target should not form part of their remuneration package as this would create a conflict of interests.
The most effective approach is to have one person dedicated to the role, rather than sharing the job between people in different departments i.e. marketing, IT and legal. Indeed, under the GDPR there needs to be one named person. In addition to the DPO role, it may be appropriate (depending on the size of the organisation) to also have a group of stakeholders who act as privacy champions within various departments.
The precise nature of the role will depend on the organisation’s size, structure and data assets. For smaller organisations it might be a part-time or contractual role. It’s worth noting the GDPR states – The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
The GDPR also specifies that the controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
Does your organisation need a DPO?
In specified circumstances it is mandatory under the GDPR for organisations to employ a DPO, these include where;
- processing is carried out by a public authority
- core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale
- processing of special categories of personal data (i.e. sensitive data) on a large scale
The Article 29 Working Party has published guidelines on DPOs, which can be found here (under Adopted Guidelines)
However, even for organisations not caught by the mandatory requirement, it’s worth considering hiring a dedicated DPO or at least appointing an individual to take ownership of compliance.
There’s a competitive advantage to having a DPO; the DPO could be a brand asset demonstrating that the organisation is committed to data protection and transparency. It tells customers/consumers there is someone they can contact who is on their side. This is likely to have a positive impact on whether individuals choose to share their data with the organisation.
In considering hiring a DPO it’s important to focus on responsibility and risk. What’s the risk to your organisation of not having someone responsible for compliance? Are you at risk if you don’t have an individual who has your customers’ interests at heart as well as the organisation’s? Is there a responsibility to ensure the organisation has someone who can competently handle Subject Access Requests (set to increase when the fee is removed under GDPR)? A DPO could be crucial in preventing reputational damage.
In light of the eye-watering financial penalties for breaching GDPR, it’s also worth noting that having a DPO will be a mitigating factor when fines are issued.
What skills and qualifications do they need?
Ideally, a DPO should have a certified data protection qualification. However, for some organisations it may be appropriate to appoint an individual with a background in compliance (either internally or externally) and offer certified training on the job.
A DPO doesn’t need to be a lawyer; having legal expertise doesn’t necessarily make you a good DPO. In fact it could be a hindrance. Lawyers tend to see their role as instructing people on what the rules are, whereas a DPO’s role is to encourage compliance and highlight risk. A DPO needs to be able to balance commercial and compliance considerations; they shouldn’t be someone who just says ‘no’ but rather someone who assesses the risks and offers compliant solutions.
Effective communications skills are crucial. A DPO needs to be able to handle queries from members of the public sensitively, as well as training staff and promoting compliance internally.
The role should be filled by someone who can demonstrate an ability to collaborate with others i.e. IT, security and marketing departments.
Most crucially a DPO must have the strength of character to be able to discuss privacy issues at a senior level, a role which may require telling board members things they don’t want to hear. They must be someone who can act independently and be able to liaise confidently with the Data Protection Regulator, if required.
The GDPR states: The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. Article 39 stipulates: The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.
The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks.
Where should a DPO sit within the organisational structure; who should they report to?
GDPR states: The data protection officer shall directly report to the highest management level of the controller or the processor.
It couldn’t be clearer – the DPO needs to report to senior management. In smaller organisation this might be the CEO, in larger ones it might be the Chief Risk Officer, Chief Financial Officer or Chief Operating Officer. For not-for-profit organisations it might be decided the DPO should report to the Trustees.
Organisations operating on a global level may opt to have a Global DPO, together with a number of DPOs working at a regional level.
DPOs need to be able to communicate face to face; training staff, getting under the skin of the processing being undertaken, promoting innovation and security. A DPO situated too remotely may prove ineffective.
Is it feasible to for the DPO to be the internal whistle-blower?
The GDPR states: The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks.
In Germany, a DPO is already a very independent role; very much the policeman and whistle-blower. High profile cases have shown German DPOs are not afraid to inform the Regulator of their organisation’s non-compliance.
It remains to be seen whether this can work in practice across Europe with its different cultural nuances. The DPO certainly has a difficult job in juggling their responsibilities to three distinct groups; the organisation, the data subjects and the regulator.
What are DPOs doing within their organisations to prepare for GDPR?
These are some of the main areas DPOs are focusing on now to ensure compliance:
- Undertaking audits; assessing all data held, its permissioning, will it be fit for purpose?
- Highlighting the risks and penalties at a senior level
- Identifying key priorities and budgeting for them
- Reviewing contracts with suppliers and processors – are they ready for GDPR?
- Training staff in GDPR awareness
- Ensuring Privacy Impact Assessments are part of business-as-usual
- Assessing the impact of Data Portability; cost vs opportunity?
- Assessing the challenges in implementing the Right to be Forgotten (the Right to Erasure). How will our organisation fulfil this right? Could legacy systems make this difficult to fulfil?
Challenge of recruiting a DPO
One of the biggest challenges, once an organisation has decided to appoint a DPO, is finding one. There is a shortage of people with the right skills and qualifications. The International Association of Privacy Professional (IAPP) estimates 28,000 DPOs will be required across EU Member states. There is a race to get someone with a compliance background on board now, before there are no more left.
Updated October 2017
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.