As we saw in part one of this series, every organisation handling personal data must comply with the GDPR, but not all need to appoint a data protection officer (DPO). In this second of our two-part blog, we take a closer look at the nature of the role, and the part they play in activities like the record of processing activities and data protection impact assessments.
Is it possible to appoint an external DPO?
The DPO can be external, carrying out their function based on a service contract with an individual or an organisation. The European Data Protection Board guidelines state that when an external service provider carries out the DPO function, a team of individuals working for that organisation may effectively carry out the DPO tasks as a team, under the responsibility of a designated lead contact and ‘person in charge’ at the client.
The guidelines further recommend that ‘the service contract for the external DPO should have a description with the clear allocation of tasks within the external DPO team as well as to assign a single individual as a lead contact and person “in charge” of the client’s compliance responsibilities.’
As with any recruitment, the downside to an in-house Data Protection Officer is that if the employee leaves, your organisation will have to rehire and/or possibly retrain another member of staff. The alternative is to engage a consultant on a needs-only basis. This suits businesses of all sizes, but particularly SME’s whose needs are best served by having access to an external consultant as and when required. Bigger organisations usually use Consultancies like BH Consulting for outsourcing large tasks, as we have a large team of Data Protection specialists who can be deployed at once.
Other considerations include:
- If the DPO is mandatory and needs to be registered
- The level and scope of the processing of personal data
- The complexity and level of risk of the associated processing
- The complexity of the industry sector
- Any additional regulations relevant to data protection
- The structure and size of the organisation.
Supervisory authorities also seem to prefer the arrangement of appointing an external DPO. In 2021, the Danish DPA approved four external DPO setups by public authorities. However, it is important to document the DPO designation decision, and clearly allocate tasks between the organisation and the DPO.
Does a processor also need a DPO?
The need for a DPO applies to both controllers and processors. Depending on who fulfils the criteria on mandatory designation, in some cases only the controller or only the processor need to appoint a DPO. In other cases both organisations are required to do so.
It is important to note that even if the controller fulfils the criteria for mandatory designation, its processor is not necessarily required to appoint a DPO.
What is the DPO’s role with respect to the record of processing activities (Article 30)?
The record of processing should be considered as one of the most important tools enabling the DPO to perform their tasks of monitoring compliance, informing and advising the controller or the processor. The European Data Protection Board advises that ‘the controller or the processor, not the DPO, is required to maintain a record of processing operations’. In practice, this means each relevant department will, with their DPO’s advice, establish and maintain the record of processing.
What is the DPO’s role in a DPIA?
As far as the data protection impact assessment (DPIA) is concerned, the controller or the processor should seek the DPO’s advice on the following issues, amongst others:
- whether or not to carry out a DPIA
- what methodology to follow when carrying out a DPIA
- whether to carry out the DPIA in-house or whether to outsource it
- what safeguards (including technical and organisational measures) to apply to mitigate any risks
- whether or not the data protection impact assessment has been correctly carried out and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) comply with the GDPR.
What professional background should a DPO have?
The GDPR requires that the DPO ‘shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39’.
The necessary skills and expertise include:
- An in-depth understanding of the GDPR
- Expertise in the national and European data protection laws and practices
- Understanding of the processing operations carried out by the company
- Understanding of information technologies and data security
- Knowledge of the business sector and the organisation
- Ability to promote a data protection culture within the organisation.
For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support from across the organisation.
What resources should an organisation provide to the DPO to carry out their tasks?
The GDPR requires the organisation to support its DPO by ‘providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge’.
Depending on the nature of the processing operations and the activities and size of the organisation, the following resources should be provided to the DPO:
- Active support of the DPO function by senior management
- Sufficient time for DPOs to fulfil their duties
- Adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate
- Official communication of the designation of the DPO to all staff
- Access to other services within the organisation so that DPOs can receive essential support, input or information from those other services
- Continuous training.
What should a DPO focus on first?
Article 39(2) requires that the DPO ‘have due regard to the risk associated with the processing operations, taking into account the nature, scope, context and purposes of processing’. In essence, that means the DPO should prioritise activities and focus efforts on issues that present higher data protection risks. This doesn’t mean they should neglect monitoring compliance of data processing operations that have comparatively lower level of risks, but it does indicate that they should focus primarily on the higher-risk areas.
Tom Knierim is a data protection consultant with BH Consulting