GDPR: what is the role of a data protection officer and when will it be mandatory to incorporate one into companies?

Posted by media on December 13, 2016 at 9:00 AM

EN_B_The role of a data protection officer.jpg

In one of the posts that we published last week we talked about the obligation to incorporate the figure of the data protection officer (DPO) in some companies, as established in the Article 37 of the new European Data Protection Regulation. We also commented on a series of inaccuracies that are present, concerning the terms that define when an appointment is necessary.

With this post we want to expand on the information discussed in the previous post regarding the responsibilities of a DPO related to data processing, which are established in the new Regulation, and what requirements an individual must meet to perform this role.

This post is also available in Spanish.


What are the responsibilities of a data protection officer?

In accordance with what is established in Article 39 of the new European Data Protection Regulation, the data protection officer will have at least the following tasks:

  1. Inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;

  2. Monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

  3. Provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;

  4. Cooperate with the supervising authority;

  5. Act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.  


What are the requirements and guidelines a DPO should follow, on the  one hand; and the company, on the other?  

On one hand, according to the Regulation itself, the data protection officer will perform his/her functions paying attention to the risks associated with the data treatment operations, keeping in mind the nature, scope, context and purposes of the data treatment.

Consequently, the company will need to perform a relevant risk analysis, in order to be able to assess the impacts that such risks could pose for the company.

Thus, Article 38 establishes the following conditions for the DPO:

  • That the data protection officer will report directly to the person with the highest responsibility or duties;
  • That the interested parties can get in contact with the DPO for all questions regarding the treatment of their personal data, and exercise their rights under this Regulation;
  • That the DPO is obliged to maintain the secrecy or confidentiality regarding the performance of his/her duties, in accordance with the European Union or the Member States;
  • That he/she can also perform other functions and duties.


On the other hand, the company itself responsible and/or in charge of the data treatment should also assist the DPO fulfilling their responsibilities. Thus, Article 38 establishes the following conditions to be met by the responsible and the data treatment controller: 

  • They should guarantee that the data protection officer participates in an appropriate way and in a timely manner in all matters related to the protection of personal data.
  • They should provide the necessary resources to perform the duties, provide access to the personal data and the data treatment operations, and to maintain their specialized knowledge.
  • They should guarantee that the data protection officer will not receive any instructions regarding the performance of these duties, and may not be dismissed nor punished by the person responsible or in charge for performing his/her duties. This means that the DPO should have autonomy and independence in performing his/her duties.
  • The person responsible or in charge of the data treatment will guarantee that the other functions and duties that the DPO could perform will not create a conflict of interest.


Who can be a data protection officer?

In accordance with Article 37 of the new European Data Protection Regulation, in points 5 and 6, the data protection officer will be appointed on the basis of his/her professional qualities; specifically regarding his/her specialized legal knowledge and experience in data protection, and the ability to perform the tasks determined earlier in this post.  

It is further established that the delegate can be a part of the staff or person responsible for the data treatment, or perform his/her services under a service contract. Therefore, it can either be an internal company worker who meets the qualities indicated in Article 37, or it could also be an external contractor.

It’s important to point out that according to the Spanish Data Protection Agency, “the Regulation does not specifically state what those professional qualifications are, nor the way in which they can be proven to the organizations that must incorporate this role.” 


Is it necessary to have some type of certification to act as a DPO?

The Spanish Data Protection Agency itself states that it's not appropriate to establish a certification system for data protection officers that will operate as a requirement to enter the profession, since there are currently certifications and qualifications that support the knowledge or experience in the field of data protection.

These certifications and qualifications can have a relevant role in developing professions related to data protection, as long as they can serve as an additional element (although not necessarily the only), so the organization that has to incorporate a DPO can be aware of the training or qualifications for potential candidates.

It is also indicated that the possibility of promoting accreditation of the certification of professional bodies in accordance with established standards is being assessed; and this would be carried out in Spain by the National Accreditation Entity  (ENAC). However this would not be the only method nor formula to accredit the necessary experience and knowledge of a DPO and thus it would not be the only way to access a DPO job position.
 

Is it necessary to incorporate a DPO in my company already?

The new European Data Protection Regulation will be applied following May 25, 2018, two years after its publication in the Official Journal of the European Union (article 99.2). Therefore, until then it will not be necessary to include a data protection officer within the company.

However, it is recommended to at least have a similar role who takes on the tasks established by the Regulation. Or that he/she  starts guiding the implementation, so that the company is prepared for when it is mandatory.

On the other hand, it is interesting to comment that in different systems and countries similar roles already exist -- such as the Chief Privacy Officer in British systems, or the Security Officer in the Spanish system -- although this differs greatly from what the Regulation establishes regarding the DPO functions.

A question that arises, and is currently debated in the legal and data protection fields, is focused on whether the DPO could be the same person or consulting company that performs the adaptation tasks of the company and the audits, or if it should be a separate person or company.

Additionally, another question that has arisen is whether a company may be named as a data protection officer or if it should be a physical person, since the Regulation establishes that the role should be occupied by a person.

To resolve both doubts, it will be necessary to see how this problem evolves in the sector, and if the different authorities of data protection pronounce themselves in some sense.

Finally, it should be noted that, due to the very nature of the data treatments carried out within the company, if the characteristics established in the Article 37.a, b or c are met, we do recommend reviewing the measures and needs in this regard, delimiting, so long as it's not applicable, the needs of this figure, as well as other particularities and legal requirements of data protection that companies are required to implement in order to comply with the new Regulation.

This post is also available in Spanish.



This is a guest post by Vanesa Alarcón Caparrós.

Vanesa is a specialised lawyer in new technologies and intellectual property, and a founding member of Avatic Abogados.

@vanesa_alarcon
@AvaticAbogados


This is a guest post by Vanesa Alarcón Caparrós.

Vanesa is a specialised lawyer in new technologies and intellectual property, and a founding member of Avatic Abogados.

@vanesa_alarcon
@AvaticAbogados


New Call-to-action


RELATED POSTS


Topics: GDPR

Blog Subscription

Recent Posts