The coming Data Protection Officer, needed, expert & independent

A presentation was made about the to be established Data Protection Officer, claiming to be informed by the EU’s advice on what the law means. We looked at whether a DPO is needed, the expertise and skills required, and the requirement for independence.

Organisations will need a Data Protection Officer if,

  1. They are public sector,
  2. Their core activities involve processing operations[1] which require “regular and systematic monitoring”.
  3. Their core activities, performed at scale, involve processing operations on special categories of data or personal data relating tom crime, convictions and offences.

The definition of public sector is expected to be broad and potentially possess several tests. Most importantly, it’s the function performed, rather than the ownership structure. This will however be a member state definition.

Core activities are also to be defined in a broad fashion, IT support activities including both Payroll and Training and Appraisal systems are in scope of the core activity definition. Large scale is also not satisfactorily defined although the absolute number and its proportion of a population will be a factor, as will the volume of data and the proposed retention longevity of the data. The processing of customer data by financial services organisations will be large scale as will that of the telcos and search engines.

We had a discussion on what “regular and systematic” monitoring meant and whether it differed from transaction processing. It has become clear that big data has changed the way in which organisations work; in the case of insurance, for instance, the need to acquire and review past claims history makes the act of quoting for a policy an act of systematic monitoring and the new motor policies that measure the location, time and other behaviour of their customers are even clearer examples of “regular and systematic” monitoring. Fraud detection software is another case of such a system, particularly if profiling innocent customers to determine the differences between good actors and bad actors.

The expertise and skills of the proposed DPO were also considered, Recital 97 says,

(R97) … a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. … The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. Such data protection officers, whether they are an employee of the controller, should be able to perform their duties and tasks in an independent manner.

Knowledge and expertise of both the DP Laws, DP practice (i.e. adequate technical protection) and other regulations related to the business sector in question are required; I have previously mentioned the seeming conflicts between the need for transparency and privacy, most acutely and recently the needs of MiFID2 vs. the GDPR. Determining good practice will require a knowledge of the DP Law and other business relevant regulation. It’s important to remember that compliance is a legitimate purpose separate from consent and a contract.

The DPO must be independent and thus needs to be protected against conflicts of interest and unfair terminations. Employee conflict of interest can be mitigated through professional regulation and employers are constrained by the law not to issue instructions regarding the performance of the DPO’s tasks. These tasks are defined in Article 39, and consist of advice on the legal obligations, monitoring of compliance, advise on data impact statements, co-operate and communicate with the supervisory authority. They will also participate in the development of any risk based GDPR compliance policies and rules. It is expected that the DPO will “involved and in a timely manner, in all issues …”

The full range of skills may be made available in a team, but a principal contact must be named and their details published, although not necessarily their name, and communicated to the supervisory authorities. The DPO must be properly resourced but the responsibility for decisions and compliance remains that of management.

[1] There is also a scale requirement to be triggered.

Comments are closed.