What does a DPO do?

Have you been made the Data Protection Officer or DPO at your workplace?  Don’t panic!  In the time it takes you to have a cup of coffee, we’ll take you through your role and responsibilities.

You might be surprised, given all the noise about DPOs…

Stay with us, because at the end we’ll share a Bonus Tip that could really make the relationship between DPO and organisation a lot simpler and more efficient.

And you can watch our FREE video: ‘What does a DPO do?’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy.  If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.

So … what does a DPO do?

Well, let’s start with the easy part and run through the minimum tasks as set out in GDPR itself.

Inform and advise

First, it’s to ‘inform and advise‘ the organisation and its employees of their legal obligations under GDPR and other applicable data protection laws.  To do this, regulators say the DPO must be ‘involved properly’ and in a timely manner in all issues which relate to the protection of personal data.

Now, this will include:

• being invited to participate regularly in senior and middle management meetings,
• being present when decisions with data protection implications are taken,
• being consulted promptly on a data breach or another incident,
• having all relevant information passed to him or her in a timely manner to allow them to provide adequate advice, and
• having their opinion given due weight.  In fact, regulators recommend organisations document the reasons when they don’t follow a DPO’s advice.

Monitor compliance

Next – and equally important – to monitor compliance with the GDPR and other privacy laws and with the organisation’s own Data Protection Policies.  So this will include:

• the assignment of responsibilities,
• awareness-raising and training of staff,
• collecting information to identify processing activities – and we’ll come onto the Article 30 Records in a moment,
• analysing and checking the compliance of those processing activities,
• audits and monitoring complaint handling, and then
• advising, informing and issuing recommendations to the organisation

GDPR also envisages the DPO, as part of that monitoring, monitoring compliance with Binding Corporate Rules, or BCRs – if you have those in place.  Don’t worry if you don’t, it’s really about international transfers and, because it takes quite a lot of time and money to put in place, this tends to be done by multinational enterprises.

DPIA Advice

An important role for the DPO is to advise where requested on DPIAs or Data Protection Impact Assessments, the risk assessments under GDPR, and to monitor their performance.  Note that word ‘advise’ again – EU regulators note it’s the task of the controller, not the DPO, to carry out a DPIA, but the DPO can play an important role in assisting that controller.

That advice could include:

• whether or not to carry out a DPIA,
• how to carry out that DPIA,
• whether to do it in-house or to outsource it,
• what safeguards to apply to mitigate risks to data subjects,
• whether or not the DPIA was correctly carried out, and
• whether its conclusions are compliant with GDPR

Liaison

Next, the DPO is the contact point for the Supervisory Authority like our UK ICO and cooperates with them.  This may be, for example, in relation to a request for those Article 30 Records of Processing, a data subject query or complaint, or liaising about high-risk processing activities.

Risk, all about risk

And, segway from that, in all tasks, the DPO has to have due regard to the risk associated with the processing.  So that means they’ve got to focus first off on those operations that have the highest risk to data subjects.

So that’s the minimum a DPO needs to do.  And you can see it’s all about advising, monitoring, training and cooperating. There’s not much operational involvement, and there’s a good reason for that.

The DPO has to carry out his or her role with independence, and while they’re allowed to have other tasks and duties, they cannot give rise to a conflict of interest.

GDPR even states that the organisations can’t instruct their DPO how to perform their tasks.

So with that conflict in mind, what can’t a DPO do?

Conflict of Interest

The UK ICO puts it neatly:

‘the DPO shouldn’t be expected to manage competing objectives that could result in data protection taking a secondary role to business interests’.

We cover conflict of interests more thoroughly in our video ‘Who can be a DPO? So for now, let’s just note two types of people who will be conflicted:

• those involved in determining the purposes and means of processing – the why and the how – that’s likely to be the C-Suite and senior management, and
• anyone involved in designing or operationalising compliance measures, because they’re effectively going to be marking their own homework.

So you can see that other tasks aren’t impossible, but you’ve really got to look at that conflict of interest.  With that in mind, what else can the DPO do, over and above the minimum?

Well, a very lonely example from regulators is taking on the organisation’s task of maintaining the Article 30 Records of Processing.  Article 30 Records give an overview of all the personal data processed by an organisation and so EU Regulators consider Article 30 Records one of the key tools for a DPO to perform his or her task of monitoring compliance and then informing and advising the organisation.

EU Regulators also suggest DPOs submit on annual report on their activity to the highest levels of management.

Eh?

Now, if this doesn’t sound as extensive as you thought it would be, we don’t blame you.  There’s a huge amount of coverage about DPOs.  And lots of people are saying, very confidently, GDPR says you must have one.  Public sector will generally need one, but most private sector don’t need one.

Bonus Tip!

And now for that Bonus Tip!  As you can see, for many people, a DPO is a part-time or a lumpy role.  And it’s very easy for the sort of people you want to be DPO – with the knowledge of your business – to probably be conflicted.

So we strongly recommend you consider outsourcing your DPO.  There are some great ones out there, it’s good value, they’ll bring excellent expertise and advice to the table immediately, saving you time on your compliance journey – and also saving having an employee in a difficult position.

So there you go!  In less time than it takes to drink a cup of coffee, we’ve gone through the minimum tasks of a DPO, and we’ve seen there’s a framework about conflict of interest to look at when you want to give DPOs extra tasks.  Although there are some, like the Article 30s that are safe for them to do.

So – please do look at the rest of our DPO series.  If you’re private sector, particularly look at ‘Do I need a DPO?‘ and the sister blog.

And please do use #PRIVACYKITCHEN to tell us the questions and topics you want covered.

Stay well in the meantime, and we look forward to seeing you in Privacy Kitchen again soon!

Links

GDPR itself!

Art 29 WP, WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’), Adopted on 13 December 2016, As last Revised and Adopted on 5 April 2017 

EDPS Position paper on the role of Data Protection Officers of the EU institutions and bodies 30 September 2018 

UK ICO Guide to DPOs

German DPA fine re IT Manager, 2016 

Belgian DPA fine re Head of Audit, Risk & Compliance, 2020