PART 2 - Data Protection Officers: Who is the ideal candidate?
A few years back, the IAPP considered that there would be a requirement for nearly 30,000 data protection officers for companies to achieve compliance with the General Data Protection Regulation (2016/679, “GDPR”). Now in 2021, the requirement is just as strong as ever.
As the world of data privacy has become more complex in light of Brexit, international transfers, the invalidation of the EU-US Privacy Shield and impending new Standard Contractual Clauses, the need to have the right person as your Data Protection Office is more important than ever - whether this is a compulsory or voluntary appointment.
In this first of our two part series, we looked at whether a company has a legal requirement to appoint a Data Protection Officer, and whether it can be a good idea for a company to appoint a Data Protection Officer on a voluntary basis as a data privacy compliance tool.
In this second part of this mini-series, we thought it would be useful to set out key requirements for a Data Protection Officer (‘DPO’), and how companies can proceed with an appointment to drive their privacy compliance forwards.
What profile should a DPO have?
The GDPR does not set out a list of required credentials for a DPO.
However, this does not mean appointing any profile as your DPO as a tick-box exercise. A DPO must be someone who has expert knowledge and ability to fulfil the tasks. This does not necessarily need to be a lawyer, but it must be someone with a good knowledge of the GDPR and data protection. Often it can be helpful to appoint an individual with IT security knowledge in order to assist compliance with the GDPR obligations to ensure confidentiality and security of personal data, especially when processing takes place in a digital or online environment.
Possibility for an external appointment
A DPO does not have to be an in-house employee - under the GDPR, external DPO’s are permitted (for example, external law firms or consultants working on a freelance basis).
Accordingly, whether on an external or employed basis, DPO’s are able work on a full time or part time contract provided that they are able to dedicate sufficient time and resources to fulfilling their obligations. This may be subject to local law requirements depending on the jurisdiction in which you operate so local advice should always be sought!
Key Requirements: Autonomy and Independence
There must be no conflict of interests between a DPO, the company and upholding the spirit of the GDPR, meaning that an appointed DPO should not have any current duties or responsibilities that could get in the way off their monitoring abilities. Violating the conflict of interest rule renders companies liable to a €10 million fine or 2% of the company’s worldwide turnover, whichever is larger.
A couple of years ago, the Bavarian Data Protection authority has advised that a member of an in-house legal department may have too many conflicts of interest to be a DPO since they may be required to represent the company in legal proceedings.
Furthermore, a CEO or other senior member of the management board is unlikely to be an appropriate DPO - not only do the functions of a DPO require specific time and attention which may be incompatible with the functions of senior company members, but it is also unlikely that they will be entirely impartial - there may be a tendency (even indirect) to play down GDPR risk in order to avoid sanctions which cause financial exposure and impact an organisation’s profits. If you think there might be a conflict of interest - there probably is one, and to avoid issues it is worth ensuring the DPO is fully independent.
When appointing a DPO, ensure that they are an expert in data protection law and that they understand your company’s IT infrastructure, and technical and organisational structures. Every company is different!
Every company is different
Understand your company’s unique selling points, how it operates within its chosen sector, and work out what aspects of your company are most important to you, particularly if personal data processing is a core part of your business (for example, if you are running staffing agency with large volumes of candidate data or are carrying out systematic data processing on behalf of your clients through online data analytics).
The freedom to choose your own internal or external DPO means you can choose an officer who embodies the values you wish your company to uphold, presenting a new way of thinking about security.
How to appoint a DPO
Appointing a DPO does not mean that your company will be exonerated for any GDPR compliance failings!
In guidelines published in 2016 in readiness for the GDPR, the Article 29 Data Protection Working Party advised that a controller, processor or sub processor remains ultimately responsible for ensuring that their policies and practices are in line with the GDPR. This means that regardless of how much autonomy a DPO is given, the companies that employ them remain liable for any data breaches and the DPO is not personally accountable for any non-compliance with the GDPR.
EMPLOYEE - THE CASE FOR AN INTERNAL DPO
When you are appointing a DPO as an employee, you should bear this in mind - and engage them under an employment contract with a clear job description - which complies with local employment and labour laws.
Even if a DPO does not allow for a full exoneration of a company’s GDPR breaches, this doesn’t mean that a DPO has no liability for their own actions. They remain liable for non-compliance with any general employment procedures and can be dismissed or penalised on grounds related or unrelated to data protection, just as the case would be for any other senior employee.
SERVICE AGREEMENT - FOR EXTERNAL APPOINTMENTS
When appointing a DPO on an external basis - such as through a law firm or external consultancy, it is important to ensure that the relationship is set out in a formal service agreement which sets out each party’s roles and responsibilities.
In order to reduce risk, it is important to be clear in your contracts about the standard of care that you expect from your DPO, and make sure that you aid the DPO in their role. If a DPO is put in a position where they cannot complete the tasks expected of them - for example, if they are given a lack of resources or training - their degree of responsibility will likely be reduced.
Should you have any queries on whether you need to appoint a DPO or if you have any other privacy or data protection enquiries, please don’t hesitate to get in contact!
Article by the Team @ Gerrish Legal, May 2021