The EU’s General Data Protection Regulation will take effect in May 2018. The Regulation governs the privacy practices of any company processing EU citizens’ data, whether or not that company is located in the EU. One of the GDPR’s requirements is that public authorities and companies processing personal data on a “large scale” must appoint a Data Protection Officer.
Read below an in depth analysis on the DPO’s role and responsibilities.
Data Protection Officer – internal or external?
All US-based companies with customers in Europe, especially those with a strong Internet presence, should assess whether their business activity falls within the territorial scope of the GDPR. Under Article 37, data protection officers must be appointed for all public authorities, and where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”. The GDPR does not specify the precise credentials a DPO is expected to have, but according to the guidelines released in 2016, there are some minimum requirements regarding the DPO’s expertise and skills: understanding how to build, implement and manage data protection programs is essential; a DPO must have expertise in national and European data protection law, including an in-depth knowledge of the GDPR. The DPO must also have a reasonable understanding of the organization’s technical and organizational structure and be familiar with information technologies and data security.
The choice: modify the Organizational Chart to include a DPO or hire an external consultant?
The GDPR establishes with relative precision situations in which organizations involved in the processing of personal data are required to designate a DPO (for example, when the main activities of the organization consist of processing operations requiring large-scale, periodic monitoring and systematically targeted individuals or special categories of data), but at the same time GDPR leaves the organizations free to establish the legal model by which organizations bring in such a specialist. There are two options: contracting an external consultant or a working relationship with a new or existing employee. The second option raises some organizational management issues.
Assigning DPO to an existing department
As a general rule, the DPO should be reflected in the organization chart of the company. As such, there must be a decision by the competent corporate body to update the internal organizational structure (either in the sense of creating a new position or supplementing the prerogatives of an existing position with those specific to DPOs). In addition, the exercise of the DPO function must be regulated in the contractual relationship with the person who will act as the DPO. This implies the conclusion of an employment contract (regulating the specific duties of this function) if the DPO position is occupied by a newly employed person.
If the DPO position is occupied by an existing employee, the company will have to sign an additional employment contract with the employee (through which the parties will agree to modify the job description, supplementing the specific tasks of a DPO, as well as possible salary adjustments). If only the duties of the existing employee change, the parties will be able to sign only an updated job sheet without the need to conclude an addendum to the employment contract. The appointment of an existing employee as a DPO can only be done with the employee’s consent (the appointment of a DPO cannot be done through a unilateral decision by the employer).
Evaluating the activity of a DPO
GDPR does not regulate the mechanisms by which the DPO’s activity can be evaluated. As such, for the purpose of evaluating the DPO’s activity, measures similar to those that are generally used to assess an employee’s activity could be implemented. The following are thus recommended: the drafting of internal policies, defining the data processing mechanisms, as well as the correlation processes / measures to be followed / pursued.
It is also necessary to clearly define the tasks and duties of the DPO through internal policies and job descriptions or the contract concluded with the DPO, including regular reporting tasks to the management of the company where it was appointed. Last but not least, the work of the DPO could be verified by third-party specialists (cyber security consultants, lawyers, etc.) or by the National data protection authority.
Managing conflict of interest
As a matter of principle, the GDPR does not establish a general prohibition for a DPO to exercise another function. On the contrary, the GDPR provides that the Data Protection Officer can perform other tasks. However, the operator or the authorized person must ensure that none of these generate a conflict of interest.
Conflict of interests is indissolubly linked to the requirement of DPO independence. Any additional functions or tasks entrusted to the DPO that generate pressure from the business area (such as decision-making or even execution in relation to the purposes and means of data processing), contrary to the legal powers of the DPO, are sources of conflict of interest. There is no list of such functions, but they must be determined on a case-by-case basis as organizational structures and internal decision-making processes vary from one society to another. In general, it is considered that there may be a conflict of interest if the DPO position is occupied by persons in executive positions such as: administrator / general manager (in principle, there is a general conflict of interest, also taking into account the general decisional power over the activity of a company), director (he / she has decision-making power over the financial aspects and could therefore influence the decision to approve the financing of some / all of the specific / necessary measures to comply with the requirements of the data protection legislation), human resources manager (they can influence the processing of data regarding employees, former employees, or potential employees), marketing manager (they may influence processing of customer data).
Conflicts of interest may also arise in relation to non-managerial positions. An example would be the legal adviser designated as the DPO who would also be authorized to represent the company in a dispute over the lawfulness of the processing of personal data. Similarly, an IT manager who occupies the DPO position might find themselves in a position of conflict of interest, as they are responsible for the quality of technical (IT security) measures to comply with GDPR requirements.
