Data protection officers
The Regulation includes a requirement for certain organisations to appoint a DPO increasing the administrative burden on those organisations where they do not already have a DPO in place. Even if a DPO is not formally required, the importance of meeting the requirements of the Regulation (because of the significant enforcement threat), the DPO will be an important role within the company, especially given the severe sanctions that could result from breach of the Regulation. It is also a role that will require a dedicated and specialist individual.
There could be a limited supply of sufficiently skilled DPOs and demand could exceed supply. As a result, there may well be a need to train up individuals currently performing other roles.
The existing EU Data Protection Directive (Directive 95/46/EC) contemplated the possibility that some data controllers might appoint a personal data protection official (DPO). Under Article 18(2) of the Directive, Member States have the power to provide for the simplification of or exemption from the requirement to notify data processing activities if the controller, in compliance with applicable national law, appoints a DPO. Most EU countries did not adopt a formal legal requirement to appoint a DPO under the Directive. For example, no such requirement exists in the UK. However, there are some countries such as Germany where there is a formal requirement in some circumstances.
Changes in detail
The Regulation makes it mandatory for data controllers and data processors to appoint a DPO in the following circumstances (Article 35):
(A) if the processing is carried out by a public authority or body, or
(B) the core activities of the data controller or the data processor consist of processing operations which by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects, or
(C) the core activities of the data controller or the data processor consist of processing special categories of data as listed in Article 9(1) (ie sensitive personal data), or data related to criminal offences.
The Regulation also sets out detailed requirements for the position and tasks of the DPO. Under Article 35(1)(5) the DPO must have expert knowledge of data protection law and practices to fulfil the tasks listed in Article 37 as a minimum. These tasks include:
(A) informing and advising the organisation's employees of their data protection obligations
(B) monitoring compliance with the Regulation and the organisation's policies
(C) providing advice on data protection impact assessments
(D) acting as the contact point for the supervisory authority and cooperating with the authority.
Article 36 requires the organisation to ensure that the DPO is involved in all issues which relate to the protection of personal data properly and in a timely manner, performs his or her duties and tasks independently and does not receive any instructions as regards the exercise of the function. The DPO must report directly to the organisation’s "highest management level" and DPOs may not be dismissed or penalised for performing his/her role as DPO.
Article 36(2) requires the organisation to support the DPO in performing the tasks by providing the resources necessary to carry out the duties and tasks referred to in Article 37, and to maintain his or her professional knowledge.
The initial drafts of the Regulation made it mandatory for most organisations to appoint a DPO. This has now been changed so that the obligation to appoint a DPO falls on a narrow set of organisations. However, we believe that many more organisations will nevertheless need to appoint a dedicated and specialist DPO to manage the additional compliance burden and enforcement risk associated with the Regulation.
The Regulation has also been watered down in that it originally provided for special employment protection afforded to DPOs which raised potentially problematic employment law issues, particularly in relation to dismissal and service contracts. The UK ICO questioned whether data protection authorities would have the authority to cope with employment law issues. Now the Regulation merely says that the DPO cannot be fired or disciplined merely for fulfilling his/her role. That would seem to be self-evident and probably adds little to general employment law protection. The status of DPOs within organisations will undoubtedly be enhanced. Aside from the greater importance and focus that data protection compliance will attract, the Regulation requires DPOs to have a reporting line into the C-level layer of management.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.