Have you been made the Data Protection Officer or DPO at your workplace? Don’t panic! In the time it takes you to have a cup of coffee, we’ll take you through your role and responsibilities.
You might be surprised, given all the noise about DPOs…
Stay with us, because at the end we’ll share a Bonus Tip that could really make the relationship between DPO and organisation a lot simpler and more efficient.
And you can watch our FREE video: ‘What does a DPO do?’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.
Well, let’s start with the easy part and run through the minimum tasks as set out in GDPR itself.
First, it’s to ‘inform and advise‘ the organisation and its employees of their legal obligations under GDPR and other applicable data protection laws. To do this, regulators say the DPO must be ‘involved properly’ and in a timely manner in all issues which relate to the protection of personal data.
Now, this will include:
Next – and equally important – to monitor compliance with the GDPR and other privacy laws and with the organisation’s own Data Protection Policies. So this will include:
GDPR also envisages the DPO, as part of that monitoring, monitoring compliance with Binding Corporate Rules, or BCRs – if you have those in place. Don’t worry if you don’t, it’s really about international transfers and, because it takes quite a lot of time and money to put in place, this tends to be done by multinational enterprises.
An important role for the DPO is to advise where requested on DPIAs or Data Protection Impact Assessments, the risk assessments under GDPR, and to monitor their performance. Note that word ‘advise’ again – EU regulators note it’s the task of the controller, not the DPO, to carry out a DPIA, but the DPO can play an important role in assisting that controller.
That advice could include:
Next, the DPO is the contact point for the Supervisory Authority like our UK ICO and cooperates with them. This may be, for example, in relation to a request for those Article 30 Records of Processing, a data subject query or complaint, or liaising about high-risk processing activities.
And, segway from that, in all tasks, the DPO has to have due regard to the risk associated with the processing. So that means they’ve got to focus first off on those operations that have the highest risk to data subjects.
So that’s the minimum a DPO needs to do. And you can see it’s all about advising, monitoring, training and cooperating. There’s not much operational involvement, and there’s a good reason for that.
The DPO has to carry out his or her role with independence, and while they’re allowed to have other tasks and duties, they cannot give rise to a conflict of interest.
GDPR even states that the organisations can’t instruct their DPO how to perform their tasks.
So with that conflict in mind, what can’t a DPO do?
The UK ICO puts it neatly:
‘the DPO shouldn’t be expected to manage competing objectives that could result in data protection taking a secondary role to business interests’.
We cover conflict of interests more thoroughly in our video ‘Who can be a DPO? So for now, let’s just note two types of people who will be conflicted:
So you can see that other tasks aren’t impossible, but you’ve really got to look at that conflict of interest. With that in mind, what else can the DPO do, over and above the minimum?
Well, a very lonely example from regulators is taking on the organisation’s task of maintaining the Article 30 Records of Processing. Article 30 Records give an overview of all the personal data processed by an organisation and so EU Regulators consider Article 30 Records one of the key tools for a DPO to perform his or her task of monitoring compliance and then informing and advising the organisation.
EU Regulators also suggest DPOs submit on annual report on their activity to the highest levels of management.
Now, if this doesn’t sound as extensive as you thought it would be, we don’t blame you. There’s a huge amount of coverage about DPOs. And lots of people are saying, very confidently, GDPR says you must have one. Public sector will generally need one, but most private sector don’t need one.
And now for that Bonus Tip! As you can see, for many people, a DPO is a part-time or a lumpy role. And it’s very easy for the sort of people you want to be DPO – with the knowledge of your business – to probably be conflicted.
So we strongly recommend you consider outsourcing your DPO. There are some great ones out there, it’s good value, they’ll bring excellent expertise and advice to the table immediately, saving you time on your compliance journey – and also saving having an employee in a difficult position.
So there you go! In less time than it takes to drink a cup of coffee, we’ve gone through the minimum tasks of a DPO, and we’ve seen there’s a framework about conflict of interest to look at when you want to give DPOs extra tasks. Although there are some, like the Article 30s that are safe for them to do.
So – please do look at the rest of our DPO series. If you’re private sector, particularly look at ‘Do I need a DPO?‘ and the sister blog.
And please do use #PRIVACYKITCHEN to tell us the questions and topics you want covered.
Stay well in the meantime, and we look forward to seeing you in Privacy Kitchen again soon!
Art 29 WP, WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’), Adopted on 13 December 2016, As last Revised and Adopted on 5 April 2017
EDPS Position paper on the role of Data Protection Officers of the EU institutions and bodies 30 September 2018
German DPA fine re IT Manager, 2016
Are you confused about the e-Privacy rules on B2B emails in the UK? Well, in the time it takes to have a cup of tea, we’ll set them out clearly.…
Brexit & the EU Representative What you need to know and do now! Join us for a Coffee Break in Privacy Kitchen as we interview Tim Bell, Founder & MD…