With the rapidly growing impact of technology on our personal lives, implementing proper data protection policies gained relevance. Many businesses have already started to initiating a data protection framework within their organisation to improve what we might very well call a ‘data protection culture’. In order to do so, one of the best practices is to appoint a GDPR data protection officer (DPO).
DPO and GDPR
The DPO is not a new concept of the GDPR – the ‘old’ data protection Directive 95/46/EC already featured this concept of having responsible parties for managing personal data. However, it did not contain any requirements for the appointment of a DPO, which had been basically left to the discretion of the Member States. The GDPR provides further clarification for the designation of these officers.
DPOs do more than providing compliance with data protection laws. They basically work as intermediaries between supervisory authorities, data subjects and businesses. They also provide guidance to the controller or the processor on whether or not to carry out a data protection impact assessment, and the right methodology on carrying out the assessment. Moreover, they provide advice on applicable technical and organisational safeguards.
So, when is it necessary to appoint a DPO?
Article 37 (1) GDPR requires designation of a DPO in three circumstances:
- When the processing activities are carried out by a public authority
- When the core activities of the controller or the processor consist of processing operations which require ‘regular and systematic monitoring’ of data subjects on a large scale
- When the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences
According to WP29 Guidance on DPOs, core activities should be interpreted as the key operations necessary to achieve the controller’s or processor’s goals. Data processing activities must be ‘an inextricable part of the controller’s or processor’s activity’.
The GDPR requires the designation of a DPO when the processing of personal data is done at a large scale. Although ‘large scale’ is not specifically defined under the GDPR.
Recital 91 states that ‘large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk’.
WP29 further defined the determining factors for large scale processing activities:
- The number of data subjects concerned - either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
Regular and Systematic Monitoring
Although the meaning of regular and systematic monitoring is not defined specifically under the GDPR, based on the WP29 Guidance we can interpret ‘regular’ as constantly ongoing, recurring or periodically taking place. ‘Systematic’ refers to an existence of a plan, or a method. Location trackers via mobile applications can be an example of regular and systematical monitoring.
Designating a DPO is necessary for public authorities. However, for businesses that do not fall under Article 37 it is not obligatory to designate a DPO unless Member States requires them to do so by their own national laws (see Member State laws for the specific clauses regarding the designation of a DPO).
According to the GDPR, the controller and processor have to make sure that the DPOs are involved in all data protection matters in a proper and timely manner.
Controllers and processors have to support their DPOs in performing their tasks and operations. Furthermore, the controller and the data processor should respect the autonomy of a DPO and the DPO must have direct contact with the ‘top-level management’ of the organisation.
How to Choose the Right Data Protection Officer?
There are no specific criteria for choosing a DPO, but the GDPR requires knowledge in the field which is suitable for advising and informing stakeholders, monitoring compliance and the performance of impact assessments. Moreover, the DPO should be able to cooperate with the supervisory authority and act as the point of contact for the supervisory authority on issues relating to processing activities and with regard to any other matter. It should be noted that businesses can assign a DPO from their own employees or from a third-party service provider.
Appointing a DPO for all businesses is not a ‘must’. Although it might not be necessary to appoint a DPO for your organisation, it is a good practice not only for becoming compliant with data protection laws but also for implementing a strong data protection culture within your organisation.