The GDPR recognises the Data Protection Officer (DPO) as a key player in the new data governance system and lays down conditions for his or her appointment, position and tasks. The aim of this post is to explain relevant provisions in the GDPR to help our clients to comply with the law, but also to assist DPOs in their role.
New GDPR guidance for the DPO
On the 5th of April 2017, the Article 29 Working Party
published new and updated guidance on the role, position and tasks of the DPO.
Article 37(1) of the GDPR requires the designation of a DPO in three specific cases:
- where the processing is carried out by a public authority or body;
- where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
Data compliance the role of the controller or DPO?
To first address a major concern of DPO's
: DPOs are not personally responsible in case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions (Article 24(1)). Data protection compliance is, therefore, a responsibility of the controller or the processor.
There are five tasks listed for the DPO in several Articles of the GDPR (35, 37, 38 and 39).
- Monitoring Compliance with the GDPR
- Data Protection Impact Assessment (DPIA)
- Cooperating with the Supervisory Authority
- Risk-Based Approach
- Record Keeping
To details these tasks, I have listed the main points, see also SMART PIA
As part of monitoring compliance DPOs should:
- collect information to identify processing activities;
- analyse and check the compliance of processing activities;
- inform, advise and issue recommendations.
For the DPIA's the DPO should assess:
- whether or not to carry out a DPIA;
- what methodology to follow when carrying out a DPIA;
- whether to carry out the DPIA in-house or whether to outsource it;
- what safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects;
- whether or not the data protection impact assessment has been correctly carried out and whether its conclusions are in compliance with the GDPR.
In cooperating with the Supervisory Authorities, the DPO should act as a contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 and consult, where appropriate.
DPO prioritise your activities to prevent data protection risks
The DPO must have due regard to the risk associated with the processing operations, taking into account the nature, scope, context and purposes of processing. Article 39 recalls a general and common sense principle, which may be relevant for many aspects of a DPO’s day-to-day work. In essence, it requires DPOs to prioritise their activities and focus their efforts on issues that present higher data protection risks.
On record keeping, the controller should maintain a record of processing operations and or maintain a record of all categories of processing activities carried out on behalf of a controller. The controller should seek advice from the DPO on these records. The DPO is not required to keep the records, however, nothing prevents the controller or the processor from assigning the DPO with this task.
In practice, DPOs often create inventories and hold a register of processing operations based on information provided to them by the various departments in their organisation responsible for the processing of personal data. This practice has been established under many current national laws and under the data protection rules applicable to the EU institutions and bodies.
In my next article I’ll update you in about data portability