Mandatory to appoint a Data Protection Officer
Under the current EU Data Protection Directive 95/46/EC, and the Data Protection Act (Chapter 440) of the Laws of Malta, there is no mandatory requirement for companies or public authorities to appoint a Data Protection Officer (DPO).
This is not the case for the General Data Protection Regulation (GDPR) which has taken some concepts from Germany’s Federal Data Protection Act that already required a data protection officer to be appointed. The process has to be undertaken by firms with at least nine people employed in the automated processing of personal data, or where personal data is subject to prior checking or for the purposes of commercial data transfer, anonymized commercial transfer or market or opinion research.
The General Data Protection Regulation introduces the new mandatory obligation for all controllers and processors who process personal data in certain specified circumstances to appoint a data protection officer.
Article 37 of the GDPR makes it a legal obligation to appoint a DPO where:
(a) the processing is carried out by a public authority or body (except for courts acting in their judicial authority); or
(b) the “core activities” of an entity involve “regular and systematic monitoring of data subjects on a large scale”; or
(c) the “core activities” of an entity involve “large scale” processing of “special categories of data”.
Article 37(2) of the Regulation provides that a “group of undertakings” (for example a parent company and its subsidiaries) may appoint a single DPO, provided that the DPO is easily accessible from each local European establishment.
The Data Protection Officer is one of the areas of the EU data protection reforms that were heavily debated. The major areas of the debate were on the importance of the DPO, how much work this role actually entails, and the criteria for deciding who does and does not need a DPO.
The main tasks of the DPO are the supervision of a company’s compliance with the GDPR as well as advising and overseeing staff dealing with personal data. The data protection officer will be responsible for everything related to data protection within the entity. This is stated in Article 38 (1) which states: ‘...ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data’.
The independence is enshrined in the GDPR as specifically stated in Article 38 (3) that, ‘the controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalized by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor’.
DPOs do not have to be lawyers but need to be suitably qualified, with expert knowledge of data protection laws and practices. From a practical perspective, DPOs must have a reasonable understanding of the company’s technical and organizational structure and be familiar with its IT infrastructure and technology.
The Federal German Data Protection Act generally requires that individuals must have the necessary knowledge and expertise in order to be appointed DPO. These include working knowledge of information and telecommunication technology, as well as data security (for example physical security, cryptography, network security, malicious software, and security measures).
It would be difficult for the DPO without any ICT skills to assess the appropriate encryption or pseudonymization practices, carry out the privacy impact assessments and consultation required by Article 35 and 36. Backup strategies, security and access of personal information workflows in particular applications or the vulnerability of particular data transfers would also need to be taken into account.
Article 39 makes it clear that the following tasks will form part of a DPOs role: • Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other Union or Member State data protection laws; • Monitoring compliance with the GDPR and other Union or Member State data protection laws, including managing internal data protection activities; • Training data processing staff and conducting internal data compliance audits; • Advising with regards to the data protection impact assessments (PIA’s); • Serving as the contact point for, and cooperating with, the relevant Data Protection Authority on issues relating to the processing of personal data; • Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the “right to be forgotten”, and related rights.
The GDPR also grants DPOs certain rights and benefits. Article 38 (1) stipulates that companies, Public Authorities and Bodies will be required to provide DPOs with the necessary resources to fulfil their job functions and should be provided with ongoing training.
Although many firms are already seeking to appoint or contract a DPO, it is estimated that over 28,000 DPOs are required in Europe alone. It is still to be seen whether there are sufficient resources with the ‘expert knowledge’ to meet the demand.
The role of the DPO should not be seen as that of a police within the entity but one based on trust. Their duty is to assist the entity in obtaining compliance with the regulation and to find a solution to data breaches, and report this to ‘top management’, which can then decide on the appropriate action to be taken.