Not sure who can be the Data Protection Officer, or DPO, for your organisation? Are you wondering if YOU can be the DPO for your organisation?
Don’t panic! We’ll cover off exactly who can and who can’t be DPO. And stay with us because we’ll finish with the biggest point that may just save you and your organisation a load of embarrassment, and potentially far more.
And you can watch our FREE video: ‘Who can be DPO?’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.
If you’re reading this, you’ve decided you either need – or really want – a DPO. Hopefully, you watched our FREE video on the 3-part test or read its sister blog post before you made that decision? If not, go do that now, it’s the fundamental question on DPOs and Part 1 of our Privacy Kitchen DPO series.
Okay, the big question: who can – and who can’t – be your Data Protection Officer, or DPO? Let’s find out!
Links are at the end of the blog as always.
First off, some great news: although regulators do hope that you make an employee your DPO, you don’t have to. You can outsource this to an individual or organisation – and we seriously recommend you consider this. If you do outsource it to an organisation, do make sure you have the name of the single individual who’ll be lead person for you.
And, helpfully, a single DPO can act for more than one organisation provided the DPO is ‘easily accessible’ from each establishment. So what does that mean?
Well, the DPO is the contact point for the data subject, for the processor or the controller who’s appointed them, and for the supervisory authority, like our UK Information Commissioner’s Office or UK ICO. So, being easily accessible means something about location and language skills.
Regulators recommend that the DPO is located in the EU, regardless of where the controller or processor’s established. But they do recognise that in some situations where the controller or processor doesn’t have an establishment in the EU, it may be that the DPO can do their role better outside the EU, presumably close to the entity that’s appointed them.
And on language skills, the DPO must be able to efficiently communicate with data subjects and supervisory authorities, and regulators say that means in the language or languages used by those authorities and by those data subjects.
Now, in practice, we wouldn’t panic about finding someone who speaks six languages – make sure your DPO is really capable, and is supported by people who speak the required languages.
So we’ve already established:
Now the biggest and most misunderstood – potentially controversial – factor: conflict of interest.
The key rule here is that DPOs are allowed to have other tasks and duties, but only if those other tasks and duties do not give rise to ‘conflicts of interests’.
This means that two categories of people are potentially conflicted:
Examples are always great and Europe’s regulators have given us some really useful examples.
EU Regulators confirm that the C-suite and senior roles are likely to be conflicted:
as well as roles lower down in the organisational structure if their roles lead to them ‘determining the purposes and the means‘, or the why and the how, of processing.
And EU regulators see that any person who represents the controller or processor in a court in cases involving data protection is also likely conflicted. Again, in our view, they’re clearly conflicted and we’re in good company as the EU Data Protection Supervisor agrees with us.
Well, they didn’t actually agree with us. It’s in their guide to DPOs on a GDPR-style law that applies to EU institutions – it is very persuasive on GDPR. The EDPS agrees about the C-suite roles and adds senior roles in Internal Audit.
And on ‘marking your own homework‘, they give two interesting examples where conflicts of interest may typically arise:
So what about our good old UK ICO? Well, they were part of that EU body and so, unsurprisingly, they do echo that position. They give a couple more examples:
And, before GDPR came in, there was a very interesting case in Germany under a similar DPO law, where a regional Data Protection Authority fined a company for using its IT Manager as DPO. They decided the IT Manager had significant operational responsibility for the processing, and so was conflicted.
The Belgian DPA also cited German legal doctrine on DPOs in making its decision. Germany’s had a much more extensive DPO obligation for many years, including a similar independence requirement -as we saw in the German IT Manager example above.
And here’s that Bonus Tip.
We’ve spoken to plenty of DPO’s at organisations that clearly don’t need one, or haven’t really understood what the role’s about. If that’s you, do have the conversation, because if you’re conflicted, the moment a more sophisticated customer or investor – so one that you really want – takes a look at you, they’ll assume you just don’t understand GDPR.
So here’s the tip. Well, two actually!
Make that senior employee the Privacy Officer or Privacy Manager. Just don’t call them the DPO, because it instantly applies GDPR obligations on both the entity and the person. And if you really want a DPO, or you just need a DPO, and you don’t have someone good for it in-house, consider outsourcing it. It’s cheap, there are some great ones out there and they’ll bring instant experience and advice. It’ll take a load of stress away from your employees and help you go much faster on compliance.
Do use #privacykitchen to let us know the other topics and questions you want covered.
Stay well in the meantime and see you soon in Privacy Kitchen!