Role Of The Data Protection Officer (DPO)
There are a lot of questions being asked about the role of a DPO and when and where one is needed under the GDPR. Other questions being asked are; what does a DPO do? Who will they report to? Do they need to be independent and free of conflict? And how do you ensure there is not a conflict in their duties.
This article hopefully will provide some high-level clarity on the role of a DPO under the GDPR. The GDPR makes the DPO role central to the protection of personal data in an organisation. The DPOs are to be involved from the outset to ensure the controls for data protection is an integral part of the organisation’s processes and privacy is by design in everything they do. However, not all organisations are mandated to require a DPO but in many circumstances, organisations will want to hire one or seek the services of one regardless. So do you need a DPO?
Yes and no. The GDPR requires you to have DPO under the following three circumstances:
- Where the processing is carried out by a public body
The definition of what constitutes a public body is left by the GDPR to be determined by national, not EU Law. However this will typically mean all local governments, central government departments, executive agencies, quangos, NHS trusts etc. These will fall into this category and therefore will need a DPO. Conversely, Processors are not required but are recommended to engage a DPO because they are processing on behalf of a Public body. Processors my in their own right require mandatory DPO due to the aggregation and fall under “large scale”. See below.
- Where core activities require regular and systematic monitoring of personal data on a large scale.
Now, this is where it gets interesting as there are few definitions introduced here, such as “core”, “regular” and “systematic” that will delineate whether you will need a DPO or not.
“Core activities’ can be considered as the key operations necessary to achieve the controller’s or processor’s goals” by the GDPR.
A core activity would be anything that is required as an integral part of the business.
For instance, if an organisation is providing a security surveillance or monitoring service, then their core activity would be Systemic and Regular monitoring. Or if for example the NHS, then although the core business is patient health and wellbeing, this cannot be discharged without processing and monitoring patient health data. In this circumstance, a DPO would be required.
ISPs, marketing companies, social networks that use tracking and behaviour monitoring will fall into the Regular and Systemic monitoring. This may include popular apps. Conversely, a company just holding records of their own personnel such as HR records is unlikely to require a designated DPO as this is not their core activity
- Where core activities involve large-scale processing of sensitive personal data.
This one is tricky as what constitutes “large-scale” is not defined by the GDPR and instead left for organisations to define this. I expect this will be defined by National law or case law. To help interpret this, the EDPB has provided some examples of the type of organisations that would certainly fall into this category considering:
- The number of data subjects concerned – either as a specific number or as a proportion of the
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
Examples of large-scale processing include:
- processing of patient data in the regular course of business by a hospital
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via
- processing of real-time geo-location data of customers of an international fast food chain for
statistical purposes by a processor specialised in these activities
- processing of customer data in the regular course of business by an insurance company or a bank
- processing of personal data for behavioural advertising by a search engine
- processing of data (content, traffic, location etc.) by telephone or internet service providers
I would guess this will include large taxi firms, ones with or without taxis, Boris Bikes, TFL – Oyster card in the UK, food delivery services, restaurant booking systems, loyalty cards, employee incentives schemes, marketing companies, air miles, large super markets, map providers and so on.
Under the Large Scale definition, a Controller may itself not need a DPO but processor, processing personal data for multiple clients may fall under this definition and need a DPO in their own right. Due to aggregated processing their operations become Large Scale.
There will be much debate around this in the coming weeks and months. I would, therefore, expect further guidance on the EU and or at the national level. It would be safe to say that you are regularly processing millions of records then you would need a DPO. Watch this space.
However, if a large organisation is processing large amounts of information, it is advisable to have someone who can deal with privacy and or personal data protection related queries, provide advice and guidance with regards to compliance and deal with any related incidents. The person does not have to be dedicated although large organisations may as will have one. I suspect most large organisations already have a privacy or data protection team.
If a decision is made not to appoint a DPO, the assessments and considerations made and the process taken to reach that decision must be documented for auditing purposes. The IAAP website has a flowchart to help you interpret and decide if you will need to appoint a DPO.
If you do not have one or just need a DPO on an ad-hoc basis, then you may want to explore our Virtual DPO Services.
What does a DPO do?
In short, the DPO is the go to source for data protection advice. Their role is to promote, advise and ensure the organisation functions and processes are in compliance with the GDPR; any information being processed has considered the risks of processing and impact on the privacy of individuals and assists the Controller or the Processor. The DPO will help to determine if a DPIA is required and assist in carrying out Data Privacy Impact Assessment (DPIA). They are independent of delivery and free of conflict.
The DPO has to be accessible to the data subject and be ready to resolve any issues raised by the Subject or Supervisory Authority. Their contact details must be published. Note, it is not, however, necessary to publish the DPO’s name although it is recommended and good practice and should be supplied to the Supervisory Authority too. However in the event of a data breach the name must be provided to the subjects.
These are the sorts of nuances that will catch organisations out.
As well as being accessible to the Data Subject they are also the point of contact for the Supervisory Authority. However, it is important to note that the DPO is not accountable for compliance with GDPR. Accountability remains with the Controller and the Processor.
It is incumbent on the Controller and Processor to support and resource the DPO appropriately to be able to discharge their duty.
Where does the DPO sit and whom do they report to?
So where does the DPO sit within an organisation?
The GDPR is mute on as to where in the organisation the DPO should sit within an organisation. However, it does provide guidance on the independence, conflict of interest and empowerment of the DPO that should help organisation decide where it should sit.
The DPO should be positioned in the organisation where they have independence and access to the senior decision makers.
This is why perhaps it should not be within IT, Service Management or HR. The most suitable position and it depends on the organisational structure would be in a compliance section but not information security compliance. The role could be reporting directly to the head of regulatory and legal compliance with a dotted line to COO or CEO. However the DPO typically should not be the CEO, COO, head of HR, Head of Departments or Head of Marketing that is responsible for complying with the GDPR, i.e. those having direct interest in the processing of personal information.
One would not expect the role to report to the CISO or even the CIO either. Yes, these are important stakeholders but still is a delivery role in terms of compliance. Each organisation will have to make their own careful consideration and document their rationale for the DPO role positioning.
The DPO will have to be independent as they will have to enforce the GDPR internally across the whole organisation; therefore they cannot be the poacher and the gamekeeper either. They are not prohibited from holding other roles but they must not be in conflict. I would be a good idea to map out the DPO role using something like the RACI or PARIS matrix to ensure segregation/separation of duties.
If you are sharing a DPO, then they must be accessible to each party and the allocation of time and tasks should be covered by a service contract.
Skills and qualities of the DPO
The DPO is expected to have certain skills and knowledge, amongst these is detailed and expert knowledge of the GDPR and its application, as well as business context and operations of the data processing carried out by the business. A good grounding in information security and data protection technologies is also vital.
They should be able to maintain independence whilst still building relationships and trust with important stakeholders within and outside the organisation.
They should be open, approachable, collaborative in nature and command respect. A centre of knowledge on GDPR, they are easily accessible to the Data Subject as well as the Supervisory Authority (e.g. the ICO).
Authority and support for DPO
The DPO has authority over DPO activities and decisions; they must be consulted on DPO matters and their advice taken. If an organisation decides not to, then the rationale and the analysis undertaken to reach that decision must be documented.
The DPO’s authority and autonomy should be guaranteed by the senior management, including the Board of the organisation. The need for independence means no interference or instructions on how a DPO is to do their job or any curtailment or hindrance in discharging their GDPR duties. The DPO is a “protected role”, in that they cannot be penalised, bullied, pressured directly or indirectly or sacked for doing their job.
The authority and independence will be provided through sufficient resources, training and support.
Is the DPO liable for Breaches?
The DPO is an independent role and therefore is an interface between the DPA and the Data Controller. The DPO is not responsible for the action or lack of by the data controller/organisation and they, therefore, will not be liable for any breaches or non-compliance.
“It’s not the responsibility of the DPO if there is an enforcement action,” WP29 Chairwoman Andrea Jelinek said. “It’s the responsibility of management. Our enforcement action won’t be against DPOs, it will be against the company. The DPO must be independent.”
The DPO role can be a source of independent advice and authority for an organisation, it can be part-time, internal or outsourced. There are certain conditions where it is mandatory and needs to be free of conflict of interest.
This is just a synopsis of the important points and was not designed to be a comprehensive catalogue of the detailed Articles and recitals, of which there are too many to detail here. I have tried to broadly cover the EDP guidance on the DPO, without quoting it verbatim. The EDPB (Working Party 29) provided a plethora of guidance on the role of the DPO. These should be referenced for detailed guidance. Articles 37, 38 and 39 should be the mains source of reference.
About the author: Moyn Uddin is a data protection professional. He is an IBITGQ certified GDPR Practitioner.
More blogs on GDPR and Cyber Security can be found at www.cybercounsel.co.uk