The role and responsibilities of the Data Protection Officer (DPO) in helping an entity to comply with the European Union General Data Protection Regulation (EU GDPR) presents unique challenges in-and-of-itself. However, it also requires a unique working relationship both internally and externally in order to avoid conflicts of interest. This post will explore the delicate balance that must be struck by the DPO in being simultaneously employed by an entity, while maintaining an appropriate distance and autonomy from that same entity in the performance of his/her duties. Although employed by the entity that collects, stores, and processes data, the DPO’s ultimate loyalty is owed to the Data Subject.
The EU GDPR describes the role and responsibilities of a DPO. While not required in every organization, Data Controllers/Processors must designate a DPO if: data processing is regularly carried-out by a public entity and systematic monitoring of Data Subjects occurs on a large scale. Many global firms are likely to fall into this category. The DPO may be a staff member of the Data Controller/Processor or fulfill those duties on the basis of a service contract. Although the DPO reports directly to the highest management level of the Data Controller/Processor, that same management cannot instruct the DPO, nor dismiss or penalize him/her for performing said duties. In fact, the Data Controller/Processor must support the DPO in all his/her duties and must include the DPO in all issues related to the protection of personal data. The DPO is bound by secrecy/confidentiality in performing his/her duties, and this extends even after employment in this capacity ends. And, while the DPO may perform other tasks, those tasks cannot result in a conflict of interest. The DPO’s contact details must be published and communicated to the Supervisory Authority (SA), as well as to Data Subjects.
Once a DPO is hired/assigned, he/she should reach-out to the appropriate Supervisory Authority (SA) in order to establish and develop a good working relationship. The SA will be critical in an entity’s compliance with the Reg and can offer much-needed guidance and advice.
An Information Audit and Data Protection Impact Assessment should be performed soon after a DPO is hired/assigned. These audits and assessments are likely to reveal gaps in processes and insufficient IT systems. While process corrections are easy enough to identify and implement, securing the budget for IT system upgrades or rip-and-replace overhauls may present greater challenges due to budget constraints. Periodic reviews will also be necessary when new technologies become available or are deployed, if they may impact/influence data protection risk. If the Impact Assessment indicates a high risk, the SA must be consulted. The SA will respond within one month, and written advice will be provided within eight weeks (a six-week extension beyond that is possible).
The result should be the development of a Code of Conduct, which establishes processes for data breach detection and notification, among other things. While records maintenance is often a defining feature of any well-run organization, it is critical to not only complying with the Reg, but in providing a “paper trail,” should one be needed.
*Read my prior posts covering the highlights of the EU GDPR, some of the definitions pertinent to the Reg, and my recommendations in preparing for compliance with the Reg.
