Manda­tory to ap­point a Data Pro­tec­tion Of­fi­cer

Malta Independent - - NEWS - Grace Craus Grace Craus is a MITA Spe­cial­ist on Data Pro­tec­tion

Un­der the cur­rent EU Data Pro­tec­tion Directive 95/46/EC, and the Data Pro­tec­tion Act (Chap­ter 440) of the Laws of Malta, there is no manda­tory re­quire­ment for com­pa­nies or pub­lic au­thor­i­ties to ap­point a Data Pro­tec­tion Of­fi­cer (DPO).

This is not the case for the Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR) which has taken some con­cepts from Ger­many’s Fed­eral Data Pro­tec­tion Act that al­ready re­quired a data pro­tec­tion of­fi­cer to be ap­pointed. The process has to be un­der­taken by firms with at least nine peo­ple em­ployed in the au­to­mated pro­cess­ing of per­sonal data, or where per­sonal data is sub­ject to prior check­ing or for the pur­poses of com­mer­cial data trans­fer, anonymized com­mer­cial trans­fer or mar­ket or opin­ion re­search.

The Gen­eral Data Pro­tec­tion Reg­u­la­tion in­tro­duces the new manda­tory obli­ga­tion for all con­trollers and pro­ces­sors who process per­sonal data in cer­tain spec­i­fied cir­cum­stances to ap­point a data pro­tec­tion of­fi­cer.

Ar­ti­cle 37 of the GDPR makes it a le­gal obli­ga­tion to ap­point a DPO where:

(a) the pro­cess­ing is car­ried out by a pub­lic au­thor­ity or body (ex­cept for courts act­ing in their ju­di­cial au­thor­ity); or

(b) the “core ac­tiv­i­ties” of an en­tity in­volve “reg­u­lar and sys­tem­atic mon­i­tor­ing of data sub­jects on a large scale”; or

(c) the “core ac­tiv­i­ties” of an en­tity in­volve “large scale” pro­cess­ing of “spe­cial cat­e­gories of data”.

Ar­ti­cle 37(2) of the Reg­u­la­tion pro­vides that a “group of un­der­tak­ings” (for ex­am­ple a par­ent com­pany and its sub­sidiaries) may ap­point a sin­gle DPO, pro­vided that the DPO is eas­ily ac­ces­si­ble from each lo­cal Euro­pean es­tab­lish­ment.

The Data Pro­tec­tion Of­fi­cer is one of the ar­eas of the EU data pro­tec­tion re­forms that were heav­ily de­bated. The ma­jor ar­eas of the de­bate were on the im­por­tance of the DPO, how much work this role ac­tu­ally en­tails, and the cri­te­ria for de­cid­ing who does and does not need a DPO.

The main tasks of the DPO are the su­per­vi­sion of a com­pany’s com­pli­ance with the GDPR as well as ad­vis­ing and over­see­ing staff deal­ing with per­sonal data. The data pro­tec­tion of­fi­cer will be re­spon­si­ble for ev­ery­thing re­lated to data pro­tec­tion within the en­tity. This is stated in Ar­ti­cle 38 (1) which states: ‘...en­sure that the data pro­tec­tion of­fi­cer is in­volved, prop­erly and in a timely man­ner, in all is­sues which re­late to the pro­tec­tion of per­sonal data’.

The in­de­pen­dence is en­shrined in the GDPR as specif­i­cally stated in Ar­ti­cle 38 (3) that, ‘the con­troller and pro­ces­sor shall en­sure that the data pro­tec­tion of­fi­cer does not re­ceive any in­struc­tions re­gard­ing the ex­er­cise of those tasks. He or she shall not be dis­missed or pe­nal­ized by the con­troller or the pro­ces­sor for per­form­ing his tasks. The data pro­tec­tion of­fi­cer shall di­rectly re­port to the high­est man­age­ment level of the con­troller or the pro­ces­sor’.

DPOs do not have to be lawyers but need to be suit­ably qual­i­fied, with ex­pert knowl­edge of data pro­tec­tion laws and prac­tices. From a prac­ti­cal per­spec­tive, DPOs must have a rea­son­able un­der­stand­ing of the com­pany’s tech­ni­cal and or­ga­ni­za­tional struc­ture and be fa­mil­iar with its IT in­fras­truc­ture and tech­nol­ogy.

The Fed­eral Ger­man Data Pro­tec­tion Act gen­er­ally re­quires that in­di­vid­u­als must have the nec­es­sary knowl­edge and ex­per­tise in or­der to be ap­pointed DPO. These in­clude work­ing knowl­edge of in­for­ma­tion and telecom­mu­ni­ca­tion tech­nol­ogy, as well as data se­cu­rity (for ex­am­ple phys­i­cal se­cu­rity, cryp­tog­ra­phy, net­work se­cu­rity, ma­li­cious soft­ware, and se­cu­rity mea­sures).

It would be dif­fi­cult for the DPO with­out any ICT skills to as­sess the ap­pro­pri­ate en­cryp­tion or pseudonymiza­tion prac­tices, carry out the pri­vacy im­pact as­sess­ments and con­sul­ta­tion re­quired by Ar­ti­cle 35 and 36. Backup strate­gies, se­cu­rity and ac­cess of per­sonal in­for­ma­tion work­flows in par­tic­u­lar ap­pli­ca­tions or the vul­ner­a­bil­ity of par­tic­u­lar data trans­fers would also need to be taken into ac­count.

Ar­ti­cle 39 makes it clear that the fol­low­ing tasks will form part of a DPOs role: • In­form­ing and ad­vis­ing the con­troller or pro­ces­sor and its em­ploy­ees of their obli­ga­tions to com­ply with the GDPR and other Union or Mem­ber State data pro­tec­tion laws; • Mon­i­tor­ing com­pli­ance with the GDPR and other Union or Mem­ber State data pro­tec­tion laws, in­clud­ing man­ag­ing in­ter­nal data pro­tec­tion ac­tiv­i­ties; • Train­ing data pro­cess­ing staff and con­duct­ing in­ter­nal data com­pli­ance au­dits; • Ad­vis­ing with re­gards to the data pro­tec­tion im­pact as­sess­ments (PIA’s); • Serv­ing as the con­tact point for, and co­op­er­at­ing with, the rel­e­vant Data Pro­tec­tion Au­thor­ity on is­sues re­lat­ing to the pro­cess­ing of per­sonal data; • Be­ing avail­able for in­quiries from data sub­jects on is­sues re­lat­ing to data pro­tec­tion prac­tices, with­drawal of con­sent, the “right to be for­got­ten”, and re­lated rights.

The GDPR also grants DPOs cer­tain rights and ben­e­fits. Ar­ti­cle 38 (1) stip­u­lates that com­pa­nies, Pub­lic Au­thor­i­ties and Bod­ies will be re­quired to pro­vide DPOs with the nec­es­sary re­sources to ful­fil their job func­tions and should be pro­vided with on­go­ing train­ing.

Although many firms are al­ready seek­ing to ap­point or con­tract a DPO, it is es­ti­mated that over 28,000 DPOs are re­quired in Europe alone. It is still to be seen whether there are suf­fi­cient re­sources with the ‘ex­pert knowl­edge’ to meet the de­mand.

The role of the DPO should not be seen as that of a po­lice within the en­tity but one based on trust. Their duty is to as­sist the en­tity in ob­tain­ing com­pli­ance with the reg­u­la­tion and to find a so­lu­tion to data breaches, and re­port this to ‘top man­age­ment’, which can then de­cide on the ap­pro­pri­ate ac­tion to be taken.

Newspapers in English

Newspapers from Malta

© PressReader. All rights reserved.