GDPR lays out some parameters describing who can be a DPO. In brief the DPO should be trained in data protection law while the level of expertise required is situational. Like much of this principled based legislation, it is worth looking at the primary texts to understand the concepts.
The main texts to consider when looking for the description of a DPO are Article 37(5) & Recital 97.
Article 37(5) states that the DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”. This implies that the DPO must have some background in Data Protection at least. Those organisations who are appointing a DPO from their own ranks are tending to choose someone with this background or heavily investing in training.
Recital 97 clarifies that the expertise of the DPO can depend on the nature of the organisations data processing. The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”
The two paragraphs above should be read together, to make it clear that a certain profile is required for a DPO. To use HR terminology Article 37(5) describes the competencies and Recital 97 describes the level of the competencies for these roles.
Dedicated or Part Time DPOs
For organisations which haven’t had a DPO before, it is tempting to look at this role as a distraction and a cost centre. Hence some organisations have handed the role of DPO to an existing staff member. This is permitted by Article 38(6) allows DPOs to ‘fulfil other tasks and duties’, but it is not an untrammelled right. Remember that the DPO is conceived of as an independent function, the personal in that role should not have a conflict of interest.
This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. In general, the DPO cannot hold a senior management position within the organisation. Roles such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments could not be safely combined with the role of DPO. Broadly speaking any role or position which “leads to the determination of purposes and means of processing” could not be held by a DPO.
Individual or Team
The function of the DPO need not be vested in a single person. Depending on the work load and exact configuration of an rgansatiosn processing the responsibilities can be exercised by a group or team. In this latter case, it is essential that each member of the organisation exercising the functions of a DPO fulfils all applicable requirements of the GDPR (e.g., it is essential that no one has a conflict of interests). It is equally important that each such member be protected by the provisions of the GDPR (e.g. no unfair termination of service contract for activities as DPO but also no unfair dismissal of any individual member of the organisation carrying out the DPO tasks).
In-house or Outsourced
For organisations who don’t have a suitable existing employee or sufficient work for a full time new position, it is possible to use an outsourced service provider. In Article 37(6) it says “The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.” If you would like to explore this option the DigiTorc are pleased to offer an outsourced DPO service.
Regardless of who is appointed to this role, it is key that the contact details be widely disseminated. The contact details of the DPO should include information allowing data subjects and the supervisory authorities to reach the DPO in an easy way (a postal address, a dedicated telephone number, and/or a dedicated e-mail address). When appropriate, for purposes of communications with the public, other means of communications could also be provided, for example, a dedicated hotline, or a dedicated contact form addressed to the DPO on the organisation’s website