In the third of the series by Crowley Solicitors on data processing in the workplace, Eimear Boyle explains when a DPO is required and the scope of their role.  The DPO’s duties and responsibilities are highlighted and consideration is given to whether a Privacy Officer, as distinct from a DPO, is more appropriate.

Who needs to consider appointing a DPO in their business/organisation?

• Public authorities/bodies; or
• Controllers or processors whose core activities consist of regular and systematic monitoring of data subjects on a large scale; or
• Controllers or processors whose core activities consist of the processing on a large scale of special category/sensitive personal data and personal data relating to criminal convictions.

(See Article 37 of the GDPR (plus Articles 9 and 10) for further reference)

How to decide who to appoint/designate?

Remember that a DPO may be an employee or an independent contractor but, regardless, must be free from conflicts of interest in their work as DPO. Also, a single DPO may be shared by more than one public authority/body; likewise, a corporate group may also share a single DPO. In doing so, consideration should be had for the accessibility of the DPO and the organisational size and structure.

(See Article 37 (2) and (6) of the GDPR)

Consider first that the DPO will be responsible for the following under the GDPR:

• Informing, advising and monitoring the controller or processor and their employees of their compliance obligations under the GDPR;
• Advising and monitoring data protection impact assessment(s) (DPIA);
• Liaising with the Data Protection Commissioner (DPC) generally and cooperating with them specifically in respect of DPIA(s) requiring prior consultation with the DPC (see Article 36 of the GDPR for further reference); and
• Always being cognisant of the risks associated with processing operations, which, from a pragmatic point of view, suggests that a DPO’s focus should be on higher risk areas.

The controller or processor may of course add to these tasks and they are simply the minimum tasks outlined in the GDPR.

(See Article 39 of the GDPR for further reference)

Now consider what the GDPR says about the position of the DPO:

• The DPO must be front and centre in all personal data protection matters and report directly to the highest management of the controller or processor;
• They must receive the requisite support and resources from the controller and processor, however, they may not receive instructions from the controller and processor in how they conduct themselves but be fully independent in the performance of their tasks;
• The DPO cannot be dismissed or penalised for performing their tasks;
• The DPO is bound by confidentiality in accordance with EU or Irish law;
• Whilst the DPO is permitted to have another role, the controller or processor is responsible for ensuring that no conflicts arise in respect of such role(s) and the DPO’s data protection obligations; and
• The contact details of the DPO must be published and communicated to the DPC by the controller or processor.

(See Articles 37 and 38 of the GDPR)

In addition:

• The GDPR makes no reference to any personal liability for a DPO in the event of non-compliance with the GDPR (the processor or controller is responsible for compliance); and
• It is recommended that the DPO be located in the EU.

Non-exhaustive DPO job description:

• Primary responsibility for developing, updating and monitoring the organisation’s data processing compliance practices in order to ensure compliance in accordance with the GDPR and all EU and Irish data protection legislation, beginning with an inventory of all data;
• Create and/or update and maintain a register identifying all of the organisation’s processing operations, having consulted exhaustively with all relevant departments;
• Conduct an in-depth DPIA on processing operations;
• Inform, advise and issue recommendations to the controller or processor;
• Strictly autonomously and independently in pursuit of privacy by design, advise the controller on which areas should be internally/externally audited (from a data protection perspective), which internal training programmes would be advantageous for staff and which processing operations merit more time and resources, mostly focusing on the higher-risk areas of an organisation’s practices;
• Ensure privacy forms part of all business strategies and that all employees are trained in relation to GDPR awareness;
• Advise the controller on DPIA(s), more particularly, whether to conduct a DPIA and, if so, what methodology to follow, whether the DPIA should be conducted in-house or outsourced, what safeguards apply in respect of the risks to data subjects and to assess whether or not the DPIA has been correctly carried out and whether its conclusions are GDPR compliant;
• Facilitate access by the Data Protection Commissioner (DPC) to any information required by the DPC in the course of its supervisory function;
• Promote the privacy by design ethos throughout the organisation; and
• Regularly and at least quarterly report directly to the organisation’s board of directors; and
• Cautionary note when considering whether a DPO or a Privacy Officer should be appointed.

Conclusion

Organisations must consider the prescriptive circumstances where the GDPR requires a DPO to be appointed. In the event that your organisation falls outside the test, then consideration must be given to the appointment of a Privacy Officer.  In the event that an organisation voluntarily appoints a DPO, the organisation is holding itself up to the high compliance standards required by the GDPR of a DPO.  Great caution should be exercised when undertaking this analysis.

The new GDPR accountability requirement means that each controller and processor must be able to justify its decision to appoint (or not to appoint) a DPO so documentation recording this process is critical.  The duty of accountability is an ongoing one, so we recommend that the analysis as to whether a DPO is required should be undertaken routinely, particularly where a business develops new customer or employee/service providers/volunteer relationships or rolls out new software systems.