More than nine months have elapsed since the 25th of May 2018, the date of the coming into force of the General Data Protection Regulation ('GDPR' or 'Regulation'), and yet there are many aspects of this Regulation which have not been fully understood or implemented by those whom it affects the most. Expecting full GDPR compliance across the board is unrealistic, however data controllers and data processors that have not even began working towards compliance are risking. The GDPR imposes a variety of obligations on both controllers and processors which, if ignored, may very well lead to significant fines that can potentially cripple even the largest of corporations.
One of the many obligations which has been introduced by the GDPR is the mandatory appointment of a Data Protection Officer ('DPO') in those cases where the controller or processor carry out certain types of processing activities. Organisations processing personal data are therefore asking themselves: What is a DPO? Do I need to appoint one? Although the concept of the DPO is not new, the obligation to appoint one has been introduced by the GDPR.
The Role of the DPO
The DPO is expected to have a certain degree of involvement in matters relating to the processing activities carried out by the controller or processor. In fact, the Regulation stipulates that the DPO is to be "involved, properly and in a timely manner, in all issues which relate to the protection of personal data". An example of the level of involvement expected of the DPO can be seen in the procedure relating to Data Protection Impact Assessments ('DPIA'), where these are required. The GDPR states that when carrying out a DPIA, the controller must seek the advice of the DPO (where one has been appointed).
The law also highlights the importance of organisations supporting their DPO by providing adequate resources for the DPO to fulfil his tasks as well as giving him access to the personal data as well as to the processing operations which fall within the DPO's remit.
Moreover, the DPO must be permitted to perform his functions autonomously and in an independent manner. This does not mean that the DPO is to be given decision making powers which extend beyond his intended functions, however the appointed individual should be given the freedom to perform those tasks explicitly stipulated under the provisions of the GDPR. The Regulation protects the DPO's autonomy by prohibiting the controller or processor from dismissing or penalising the DPO for merely performing his tasks.
It is crucial to note that in the performance of his tasks, the DPO's actions should not result in a conflict of interests. This is closely related to the requirement of independence and may consequently prove to be an issue in the case of an internally designated DPO since the appointed individual should not occupy a position within the organisation that leads him to determine the means and purposes of processing of the personal data.
Tasks of the DPO
The main responsibilities of the DPO are listed in the Regulation, however such list is by no means exhaustive. One of the general functions of the DPO is the monitoring of GDPR compliance within the controller or processor's organisation. It should be made clear however that the DPO is not personally responsible for an organisation's non-compliance. In its 'Guidelines on Data Protection Officers' the Article 29 Data Protection Working Party ('WP29') – which has since been replaced by the European Data Protection Board ('EDPB') – makes it clear that the responsibility for compliance ultimately rests with the controller or processor, not the designated DPO.
Another central task of the DPO is co-operating with the office of the Information and Data Protection Commissioner ('IDPC') as well as acting as a contact point. The importance of this particular function will become evident in the case of any data breach since there may be certain time constraints within which specific actions must be taken by the organisation committing said breach.
Expertise of the DPO
The GDPR states that the designated DPO should have "expert knowledge of data protection law", however the law does not state that such individual must necessarily be a legal professional. The level of expertise expected is one that is commensurate with the sensitivity, complexity and amount of data an organisation processes. This is therefore dependent on the processing activities carried out by the controller or processor, as the case may be.
Mandatory designation of the DPO
The Regulation imposes the mandatory designation of a DPO where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or processor consist of processing operations which [...] require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or processor consist of processing on a large scale of special categories of data [...] and personal data relating to criminal convictions [...]
Ideally controllers and processors should seek legal advice when determining whether the data processing activities they carry out fall within the meaning of any of the three abovementioned categories. In the abovementioned DPO guidelines, the WP29 goes into detail on what is to be understood by each of the three said categories. An organisation may nonetheless voluntarily designate a DPO, even if not obliged to do so by the GDPR, and indeed it is likely to be considered to be good practice to do so.
It is worthy to note that the individual appointed as DPO need not be someone who is already employed by the controller or processor. Such role may indeed be outsourced to a third party who is extraneous to the controller or processor's organisation. Moreover, a group of undertakings are permitted to appoint a single DPO to fill the role, as long as such individual remains "easily accessible from each establishment" and can therefore still carry out all his functions effectively. Regardless of whether the DPO is internal or external, his functions remain the same.
 CNIL, the French supervisory authority has very recently fined Google €50 million for a breach of the GDPR.
 Article 38(1) of the GDPR.
 Ibid article 35(2).
 Ibid article 39(1).
 Ibid article 37(5).
 Ibid article 37(1).
 Ibid article 37(2).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.