Under the GDPR, the role of the data protection officer (DPO) is greatly amplified. There is a requirement for many organisations to appoint someone with that role and there has been much speculation about the extent of the requirement and the reaxch of the role. Some experts suggested that nearly 100,000 new posts would be required in the UK alone and visions of dictatorial DPOs, ruling the roost to the commercial detriment of many organisations, were floated.
The Article 29 Working Party has now adopted and published WP243/16 Guidelines on Data Protection Officers (‘DPOs’). These guidelines will clarify the role of DPOs and suggest that somewhat fewer will be required to be appointed than some of the wilder estimates suggested, and that the DPO’s role may be narrower than some envisioned.
Under the GDPR, it is mandatory to designate a DPO if an organisation is a public authority or body. Where other organisations monitor individuals systematically and on a large scale, or process special categories of personal data on a large scale, as a core activity, they too must appoint a DPO. Even when the GDPR does not specifically require the appointment of a DPO, organisations may sometimes find it useful to designate a DPO on a voluntary basis and the Article 29 Data Protection Working Party states that it encourages these voluntary efforts.
The GDPR does not define what constitutes a ‘public authority or body’. According to the Article 29 Data Protection Working Party what constitutes a public authority or body is to be determined under national law. It may include ‘a range of … bodies governed by public law’. The Working Party guidelines state:
‘Even though there is no obligation in such cases, the WP29 recommends, as a good practice, that:
· private organisations carrying out public tasks or exercising public authority designate a DPO and that
· such a DPO’s activity should also cover all processing operations carried out, including those that are not related to the performance of a public task or exercise of official duty (e.g. the management of an employee database).’
As regards ‘core activities’ and the need to appoint a DPO, the guidelines suggest that fewer DPOs will need to be recruited than some feared/hoped:
‘all organisations carry out certain activities, for example, paying their employees or having standard IT support activities. These are necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.’
The guidelines as to the meaning of ‘large scale’ are somewhat less helpful, being mainly statements of obvious examples on either side of the line and citing obvious criteria. That definition looks set to require further clarification.
The term ‘regular and systematic monitoring of data subjects’ is not defined in the GDPR. The Article 29 Working Party adopts a definition of regular which might cover a ten-second period of monitoring once a decade (which surely cannot be right), and adds little or nothing to the dictionary meaning. A similar criticism might be levelled at the definition of ‘systematic’. More helpfully, the guidelines indicate that ‘the notion of monitoring is not restricted to the online environment and online tracking should only be considered as one example of monitoring the behaviour of data subjects’.
Further guidance is given as to the expertise required of a DPO (which ‘must be commensurate with the sensitivity, complexity and amount of data an organisation processes’). It is no surprise to find that ‘DPOs should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR’. It is possible for the role of DPO to be exercised on the basis of a service contract concluded with an individual or an organisation outside the controller’s/processor’s organisation.
The guidelines attempt to give the role of DPO real power:
‘the organisation should ensure, for example, that:
· The DPO is invited to participate regularly in meetings of senior and middle management.
· His or her presence is recommended where decisions with data protection implications are taken. All relevant information must be passed on to the DPO in a timely manner in order to allow him or her to provide adequate advice.
· The opinion of the DPO must always be given due weight. In case of disagreement, the WP29 recommends, as good practice, to document the reasons for not following the DPO’s advice.
· The DPO must be promptly consulted once a data breach or another incident has occurred.’
Moreover, the guidelines emphasis the need for proper resources to be made available to the DPO, including time, finance and training.
The independence of the DPO is dealt with (‘DPOs must not be instructed how to deal with a matter’) but, crucially, it is made clear that the controller or processor remains responsible for compliance with data protection law.