Regulation [EU] 2016/679 or as it is otherwise known, the General Data Protection Regulation (or simply the 'GDPR'), came into force more than two years ago and despite not reinventing the wheel of data protection law, many entities still think of this landmark legislation as being a complete Pandora's box.
Although processing of data has been taking place since the dawn of time (some of the earliest examples dating back to 300BC), the precursors of modern data protection legislation only appeared around 100 years ago, and the main developments, particularly in Europe, only came about in the last 25 years or so. For some businesses, therefore, data protection seems 'new' and is perhaps treated as secondary to other principles of law which have regulated their practice since their inception. But with data being considered to be the new gold, and with more and more members of the general public becoming aware of their rights at law, integrating data protection compliance in a business's day to day operations is crucial. So how does the Data Protection Officer feature in this discussion? Let's start with some background.
- What is a DPO?
Simply put, the DPO assists the organisation to monitor ongoing compliance, provide advice on Data Protection Impact Assessments (DPIAs), and acts as a contact point for both the supervisory authority and the data subjects.
- Does my business need to engage a DPO?
The GDPR introduced a duty for organisations to appoint a Data Protection Officer ('DPO') where these constitute a public authority or body, or if these carry out certain types of processing, such large scale regular and systemic monitoring of data subjects or processing of special categories of personal data. The appointment of a DPO can, however, be voluntary and this in order for the organisation to better achieve ongoing compliance with the provisions of the GDPR.
- Who can be engaged as a DPO?
The DPO can be an existing employee or can be appointed externally, and a single DPO can also be engaged for a group of undertakings, provided that the DPO is easily accessible from each establishment.
- What does the role of DPO entail?
In order to be able to fulfil its functions, the DPO must be (i) an expert in data protection; (ii) independent; (iii) adequately resourced; and (iv) shall directly report to the highest management level. These four factors are extremely important vis-à-vis the selection of the DPO and the proper undertaking of the DPO's role. The organisation must ensure that the DPO is involved in a timely manner in all matters relating to data processing and shall support the DPO providing resources necessary. Where the DPO fulfil other tasks and duties, the organisation must ensure that the undertaking of such duties does not result in a conflict of interests.
The decision of the 28th April 2020 handed down by the Belgian Data Protection Authority against Belgium's largest telecommunications officer sheds some more light on ensuring the engagement of an effective and independent DPO. Proximus SA was fined €50, 000 for failing to protect its DPO from conflicts of interests by engaged its director of audit, risk and compliance as DPO. Whilst recognising that a DPO can have other tasks and duties, the Belgian authority set out that organisation should avoid putting the DPO in a 'self-monitoring' situation – if the DPO is in charge of undertaking certain data processing activities that he should also be monitoring for compliance with the GDPR, then there might be a problem. This decision also highlighted the need for the adoption of internal policies and rules for the prevention of conflict of interests, which need to go hand-in-hand with the role of the DPO in the implementation of the privacy by design principle.
This recent judgment begs the question, how can you ensure an independent and effective DPO?
The DPO should understand the context of the organisation and have confidence in the application of measures. It is only when the DPO has sufficient knowledge and understanding of the workings of the organisation, that proper steps to ensure compliance can be taken. One of these steps is that of increasing awareness in the organisation by integrating data protection in the DNA and culture of the organisation. The DPO needs to be the voice of compliance of the organisation and at the same time, the voice of data subjects.
In this regard, it is also important to highlight the communication obligation set out in the GDPR, wherein the organisation must publish the contact details of its DPO and also communicate the relevant appointment to the relevant supervisory authority. A dissuasive fine of €51,000 was handed down by the Hamburg Supervisory Authority against Facebook Germany GmbH in 2019 because it had failed to notify it of an already appointed DPO. In another judgment dated 9th June 2020, the Spanish data protection authority fined Glovoapp23 S.L. €25,000 because firstly (i) the company had not appointed a DPO even though it was obliged to do so under the GDPR, and that secondly (ii) when the company did engage a DPO after the commencement of the investigations, it had not notified the supervisory authority of the same and had not published it details on its website for data subjects to direct their requests to.
As highlighted in the Belgian judgment referred to above, it must be noted that the DPO is not a decision maker on products or processes but provides advice on decisions – the organisation must own any decisions. In order to be properly involved and aware of the ongoings of the company and thus be able to provide proper advice, the DPO should adopt the mantra of 'the devil is the details' and should not be afraid to poke and prod accordingly.
Ultimately, the organisation should not view the DPO as being a 'burden' or an obstacle to development or operations – rather, it should embed the culture of data protection from the very start of its operations, or as soon as is possible, and empower and embrace the DPO, and view the DPO as being a piece of the puzzle that is compliance with data protection law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.