The Data protection officers (DPO) is an unusual role, as it has some statutory functions and independence, yet still exists within an organisation’s line structure. GDPR did not introduce the concept of DPO. The practice of appointing a DPO has developed in several Member States over the years since Directive 95/46/EC3 in October 1995. However since the coming into force of GDPR appointing DPOs is now mandatory in certain cases.
DPOs are responsible for overseeing data protection strategy and implementation within an organisation to ensure regulatory compliance.
Outlined in GDPR Article 39, DPO responsibilities include:
Inform staff who process personal data of their obligations under GDPR.
- Oversee compliance with the regulations within the organisation, including training staff involved in data processing, assigning responsibilities and related audits.
- Providing advice when requested on the data protection impact assessment and monitoring its performance.
- Must act as the organisation’s contact point for the supervisory authority on issues relating to personal data processing.
- Act as an escalation point for individuals who data is processed.
These responsibilities do not include GDPR compliant data processing. The DPO is not responsible in case of non-compliance by the organisation. The text of GDPR makes it clear that it is the controller or the processor who is liable (Article 24(1)) and this cannot be pushed on the DPO.
For the DPO to facilitate compliance Article 38(3) establishes some basic protections or guarantees to help ensure that DPOs have autonomy within their organisations. So they can perform their tasks with a sufficient degree of independence within their organisation. In particular, controllers/processors are required to ensure that the DPO ‘does not receive any instructions regarding the exercise of [his or her] tasks.’ Recital 97 adds that DPOs, ‘whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner’.
This means that, in fulfilling their tasks under Article 39, DPOs must not be instructed how to deal with a matter, for example, what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority. Furthermore, they must not be instructed to take a certain view of an issue related to data protection law, for example, a particular interpretation of the law. Which is tricky as the DPO is like everyone else competing for scarce resources with the organisation.
One way to mitigate this risk is to retain an outside consultants or an outside company to execute the role of DPO. In this case it is simpler to ensure that there is no confusion regarding their position as DPO outside of the usual jockeying for position of organisational politics. Questions of title, status and position as well as competence development are avoided through outsourcing.
To strengthen the autonomy of DPOs and helps ensure that they act independently in performing their data protection tasks. Article 38(3) requires that DPOs should ‘not be dismissed or penalised by the controller or the processor for performing [their] tasks’.
One often overlooked obligation of DPOs is the obligation of confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law (Article 38(5)).
Beside operating as a DPO Article 38(6) allows individuals who have a DPO role, to carry out other functions. It requires, however, that the organisation ensure that ‘any such tasks and duties do not result in a conflict of interests’. More about the individuals who have a DPO role can be found here.