With the implementation of the General Data Protection Regulation (GDPR, Regulation 2016/679 of 27 April 2016, O.J 119/1) coming into force on 25 May 2018, the role of the Data Protection Officer (DPO) will really step into the light.
With its adoption in 1996, the Directive 95/46/EC on the protection of personal data aimed to initiate a spirit of compliance on privacy and personal data across member states. Within the directive, the DPO was actually already well established in its role, but was still to gain a rather important portfolio and tasks in businesses. In parallel, Regulation (EC) 45/2001 which applies to EU institutions, bodies and agencies in the field of data protection, actually provided more practice and more visibility to the DPO role. This was done most notably via its role with the European Data Protection Supervisor (EDPS), a dedicated EU institution in the field of data protection which became a key player over the years in connection with the GDPR.
At the national level, the DPO was rather seen as just as a liaison officer between a business and the local data protection authority. The GDPR no longer places the DPO as a liaison officer, but rather as the only subject matter expert of your company or your administration.
A special status within your organisation
If we browse the GDPR quickly, we can count about 30 times the term ‘Data Protection Officer’ spread within recitals, chapters, titles and actual provisions. Although Section 4 (Articles 37 to 39 of Regulation 2016/679) really deals with the designation, nature and tasks of the DPO, the role is also present in tools such as the Register (Art. 30) or the Data Protection Impact Assessment (DPIA, Art.39 – the methodology of the Data Protection Impact Assessment will be the subject of a distinct article). It is also present within other sections such as Recital 77 and 97. Recital 97 relates, for instance, to the independence of the DPO.
What all of the above means is that the DPO is your trusted advisor in all questions related to privacy and data protection, especially if your core business is based on the processing of personal data, such as banking, insurance, health services or IT. Not only will the DPO be able to advise you as a lawyer on issues (i.e. counselling), but in addition, the DPO will also be able to advise you prior to the implementation of a data processing (i.e. engineering). This is where the DPO’s full strength comes in very handy: you have to make sure this function is used adequately.
Competencies and expertise of the DPO: A one-stop-shop
The DPO can be seen as a one-stop-shop or, if you are more into camping, a Swiss army knife. In bigger companies, the DPO is more likely to possess a strong legal background, but the function is not entirely based on this skill. Indeed, the variety of assessment techniques in the GDPR indicates that, for instance, a legal person with the mind of an auditor (or vice versa), who has strong communication skills and an understanding of IT and security developments is likely to perform well in his or her tasks.
Audit and consultation techniques will be needed as the DPO is involved in data processing assessments, such as the DPIA mentioned above. In this matter, planning, analysing and following up will be some of those important skills.
Additionally, the DPO’s task is to keep a sufficient level of awareness of data security within the business (Article 39.1.b of Regulation 2016/679). One could argue that the more the business depends on personal data, the more raising awareness becomes vital. Here, communication skills will be as important as counselling. By informing, educating and sharing about data protection, the DPO seeks to diminish wrongdoings where personal data is involved. Somewhat related, we could mention Data Protection Day in Europe, every 28 January, marking the anniversary of Convention 108 of the Council of Europe on personal data.
Lastly, in the case where your business builds or composes software and technologies, you may want the DPO to talk to your IT department. It is also acknowledged that in smaller companies (i.e. SME), the DPO might even be a member of your IT department to. This will give added value, since technology surrounds everyone. One practical example of the role of the DPO is set in the DPIA. While the DPO will be informed of your policies and other legal controls, the DPO will also assess the threats, risks and safety controls of the software that utilizes personal data. In other words, assessing the risks of a data breach for a cloud computing solution requires an interest in technology by the DPO.
The natural missions of the DPO: To protect and advise
The very first mission of the DPO is to make sure that the processing of personal data does not adversely impact the data subjects. This is a rather technical phrasing to simply say that the DPO cannot intervene post factum, that is once the processing has already been implemented. As highlighted above, the true strength of the DPO is not to counsel after harm has been done, but to advise on best practices and to build in “privacy by design” and “privacy by default”.
Those two expressions simply mean that the processing of personal data needs to incorporate certain safeguards, which are independently validated by the DPO from the start. Not doing so may result in faster implementation, but at the cost of a negative review from the DPO. This can also result in a cost of judicial and financial sanctions. With the DPR, the risk is now too high: getting your processing validated by the DPO or your Privacy Counsel before implementation is worth it. You simply need to involve this person in meetings and reviews while you are testing the processing.
As a CEO, you can imagine yourself in the seat of “Who Wants to be a Millionaire,” facing the audience while the DPO helps you out through a ‘call to a friend’ whenever you have problems with your processing. The host in front of you is the National Data Protection Authority. You need to get your answers right, so you need to incorporate safeguards which will be in line with privacy by design and by default.
To learn the details of the DPO role, see this free online training: GDPR Data Protection Officer Course.
To find out whether ISO 27001 implementation satisfies EU GDPR requirements, see this article, and to learn how an ISO 27001 expert can become a GDPR data protection officer, see this article.