The GDPR provides a clear criteria that organisations should take into account when wanting to appoint a Data Protection Officer for their compliance efforts. However, besides the right qualifications, organisations also need to be able to identify what the ‘right’ DPO means for them. For instance, some companies might not have the capacity to appoint someone full-time for data protection, and might find that alternatives such as resorting to external DPO service providers or training existing employees to take up the role are a better fit for them. Other organisations might not even be required to appoint one. In order to be able to determine what the case is for your organisation, first you will need to have a clear understanding of the requirements set up by the GDPR, and then take into consideration the best practices described in this blog post, to see what’s best for your organisation specifically.
When is appointing a DPO mandatory?
Article 37 GDPR provides a set of characteristics that if an organisation finds one applicable, then appointing a DPO is considered mandatory.
Appointing a DPO is mandatory for organisations that are considered to be:
• A public authority or body (except for courts acting in their judicial capacity);
• A data controller or processor with core activities that require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
• A data controller or processor with core activities that consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
What could help your organisation determine whether or not your processing is considered “large scale” or not, is to consider the Working Party 29 Guidelines that point out a few traits that should be taken into account. The guide states that an organisation should take into account: the numbers of data subjects concerned, the volume of personal data processed, the range of different data items that are being processed, the geographical extent of the activity, and the duration of the processing activity.
At the same time, not all organisations are required to appoint a DPO. Organisations are still allowed to appoint one though to help them operate within the framework of the GDPR. If your organisation decides to voluntarily appoint a DPO, it should be taken into account that the same requirements of the position and responsibilities apply had the appointment been compulsory. If your organisation decides not to appoint a DPO, either because you don’t meet the criteria listed above, or because it was a voluntary decision, it may be helpful to record the decision to assist in demonstrating compliance with the accountability principle. Additionally, the ICO has created a handy set of questions that could help you determine whether your organisation must appoint a DPO or not.
What qualifications does a DPO need to have?
Article 37 GDPR states that an organisation should appoint a DPO on the basis of their “professional qualities, and in particular, experience and expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39 GDPR”. Additionally, The Working Party 29 (now EDPB) also provides guidelines that include the qualifications a DPO should have and why:
Although the GDPR doesn’t define a specific level of expertise a DPO should have, the expertise should be corresponding with the sensitivity, complexity, and amount of personal data the organisation processes. For instance, if an organisation processes sensitive personal data on a large scale, the DPO should have a high level of knowledge and support. This also corresponds with potential issues that may arise, the DPO should be able to have enough expertise to mitigate them.
DPOs are expected to have a level of proficiency in national and European data protection law and practices, as well as a comprehensive understanding of the GDPR. Moreover, knowledge of the business sector and more specifically the sector of which the organisation operates in, would be an additional value. The DPO should also have an in-depth understanding of how the processings are carried out, along with the information systems and data protection needs of the organisation. In the case of public authority or body, it would be important that the DPO holds a certain level of knowledge on administrative rules and procedures of the organisation.
Ability to carry out tasks
The DPO’s ability to carry out tasks reflect both to their personal qualities and expertise, but also to their position within the organisation. The personal qualities should include the DPO’s effectiveness in implementing compliance with the GDPR. As the DPO holds the primary responsibility in embedding a data protection culture in the workplace, it’s important that the DPO helps to implement elements of the GDPR such as data processing principles, data privacy by design and default, data subject’s rights, and adequate communication of data breaches.
What does the GDPR say about the duties of a DPO?
Articles 39 lays out duties of a DPO as:
• To inform and advise the organisation and its employees about its obligations to comply with the GDPR and other data protection laws;
• To monitor compliance with the GDPR and other data protection laws, and with the organisation’s data protection policies, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
• To advise on, and to monitor, data protection impact assessments;
• To cooperate with the supervisory authority;
• To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc); and
• To take into account the risk associated with the processing. They must have regard to the nature, scope, context and purposes of the processing.
It’s important to remember that the DPO’s tasks cover all personal data processing activities, not just those that require their appointment under Article 37 GDPR.
The role of the DPO in general
In general, the DPO has a responsibility in closely working with the data controller and processor in the protection of personal data. It’s crucial that the DPO receives necessary information from both the controller and processor, in order to access both stored personal data and processing operations. However, it's important that the DPO does not receive instructions from the business level of either of the two, as the DPO needs to stay independent and reports directly to the highest level of management within the organisation.
Not only should DPOs be closely identifying risks and opportunities in the firm’s compliance efforts namely through conducting DPIAs, but also work on improving their data protection efforts, and establish a sufficient level of data protection awareness within the company.
As critical as internal responsibilities are for the DPO, external duties are also just as important. As the main contact point in regard to an organisation’s GDPR compliance efforts, DPOs should be able to cooperate with the respectful Data Protection Authorities (DPAs) and Regulators on behalf of the organisation. Furthermore, DPOs are also directly responsible for handling Data Subject Access Requests (DSARs) and complaints that relate to personal data use.
Characteristics and traits of a great DPO
A DPO should be able to implement a variety of procedures and assessment techniques according to the GDPR. This function however, is not solely based on a strong legal background.
Let’s go through the additional key characteristics and skills that make a great DPO and why.
Strong internal & external communication skills
As establishing a strong internal data privacy awareness is a key task for a DPO according to the GDPR, the ability to inform, educate, and convince internal departments within the company to adopt appropriate compliance practices is a vital trait. External communication skills are also just as important as the DPO should communicate with parties such as DPAs, regulators, and data subjects. Communication should be both quick and in a manner that’s easy to understand (such as using less legal jargon).
Strong technical skills in the applicable field
As the key individual in handling and preventing personal data breaches, it’s essential that the DPO holds a practical knowledge on the technological applications used for data processings. This should provide organisations with an opportunity to embed compliance into their IT infrastructure as well for a smarter, more efficient way of working, and to be able to continuously optimize it.
Article 37 GDPR also specifies that DPOs with “expert knowledge of data protection law and practices” should assist both data controllers and processors while being “bound by secrecy or confidentiality” and to perform their tasks in an “independent manner”. As DPOs are expected to show a high level of expertise in data protection, besides identifying the gaps and risk in a firm’s compliance efforts, they should also work to mitigate potential risks. This often means instructing other departments on how and why to go ahead with projects. Furthermore, a good DPO should demonstrate a high proactivity over keeping up to date with regulatory updates that could influence the business. This would require a strong level of attention to detail and the ability to communicate effectively about potential change to upper management.
What are the cons and pros of hiring an internal or external DPO?
Now that we’ve established the qualifications and key skills that make a DPO great, let’s take a look at whether an internal or external DPO could be the best fit for your organisation.
The GDPR states organisations are able to assign the responsibilities of a DPO to someone in the organisation, as long as it avoids a conflict of interests with the DPO’s primary duties. This means that:
• You can appoint an existing employee as your DPO, rather than you having to create a new post
• The DPO cannot hold a position within your organisation that leads him or her to determine the purposes and the means of the processing of personal data; and
• The DPO shouldn’t be expected to manage competing objectives that could result in data protection taking a secondary role to business interests.
Furthermore, a single DPO can also be appointed to act for a group of companies or public authorities.
• Integration: Training an individual to take up the duties of a DPO would mean that they are further integrated to the corporate structure and business culture. It gives them the advantage to easily embed data protection initiatives to existing business practices.
• Accountability: Larger firms that process a great amount of personal data would need DPOs who can cater to the appropriate needs at all times. Not only would an internal DPO be able to respond to issues in a timely manner, but also to take more time in identifying potential issues.
• Overview of costs: An organisation’s financial planner can have further overview on additional expected costs for an individual to integrate into the role of a DPO.
• Higher costs: Despite having a better overview on expected costs, appointing a full-time DPO or training an existing employee to take up the duties of one, means higher costs. As high-level training and courses take time to complete, they would also cost organisations money.
• Conflict of interests: Training an individual to take up the role of the DPO could mean taking up a dual role. Certain tasks and duties might not balance eachother out and as a result could push a conflict of interest.
• Difficulties in dismissal: Investing time and money in appointing a DPO could mean difficulties in dismissing their duties. Additionally, as some companies prefer to appoint someone to have double roles it will be especially difficult to dismiss unless there are exceptional reasons to.
Alternatively, organisations also contract the duties of a DPO externally, based on a service agreement with an individual or firm where the externally-appointed party will have the same position and responsibilities as an internally appointed DPO. The GDPR also points out that despite organisations having to appoint a single DPO to carry out the tasks, they are permitted to appoint other data protection specialists to assist the DPO.
• Cost effective: Organisations such as SMEs that might not have the capacity or budget to appoint a full-time DPO or train existing employees to take the role, may find outsourcing to be a more cost-effective solution. Many external DPOs work on a fixed-fee or per-hour basis, which means working with arrangements agreed beforehand.
• Broad experience: External DPOs usually work for several clients, which provide them the experience and knowledge of data protection through a wide variety of sectors, interests, practices, and services.
• No conflict of interest: External DPOs will focus primarily on data protection, and solely on other duties of a DPO. This means that they wouldn’t have conflicting duties to carry out, and can prioritise catering to your organisation’s GDPR compliance efforts.
• Lack of integration: External DPOs might not be too accustomed to the organisation’s corporate structure and practices. This might be a challenge as the DPO would need to take time to fully incorporate the factors.
• Possible additional costs: More complex cases that require further attention and time, may need additional costs - if not stated otherwise in the agreement. Additionally, attending meetings and monitoring the firm’s GDPR compliance progress may be time consuming and expensive if billed on an hour based pay.
The third option: the rise of the part-time DPO
As the GDPR permits organisations to give the duties of the DPO to existing employees, the role of a ‘part-time DPO’ is often favoured by organisations lately. Not only does appointing part-time DPOs leave room for multi-tasking roles, but it also helps organisations manage costs.
However, a part-time DPO could easily encounter a conflict between making time between their DPO duties and other responsibilities. This can potentially be harmful for organisations, as data protection duties that are neglected or overlooked can result in serious compliance issues. Therefore what organisations should take into account when opting to have a part-time DPO is to allocate adequate time and support for the individual to fulfill both roles with great results.
The right DPO, the right investment
As we can see, determining the right DPO for your organisation is a task that should be carried out with time and care. Not only should the DPO have knowledge of the GDPR, but the DPO should show how they can integrate that knowledge to existing business practices. Whichever the type of DPO your organisation chooses to appoint, it's essential to offer the support and time to properly carry out their tasks.
Finding the right candidate for the job of the DPO can be challenging as there might not be a lot of people that fit the criteria. If your organisation is still undecided on where to start with their compliance efforts, hiring an external DPO may be your best bet. However, as you gain more control and insight over your firm’s compliance and where to improve, appointing a full time or part-time internal DPO might become the next top priority.