In December 2016, the EU’s Article 29 Working Party (A29WP)—a group comprised of EU national data protection authorities (DPAs) that advises the EU Commission on EU data protection law—issued a number of GDPR guidance documents, including explanations for the mandatory DPO role, new individual right to data portability, and how to identify a “lead authority” for the GDPR’s one-stop shop enforcement mechanism.
Why Should You Care?
Organizations that are subject to the GDPR’s broad scope and grappling with how to comply with the regulation finally have some guidance to refer to in implementing the GDPR’s provisions on data portability, the DPO’s role, and identifying the lead supervisory authority.
The Data Protection Officer (DPO)
The DPO Guidelines cover the designation of the DPO, the position of the DPO, and the DPO’s role/tasks. The GDPR requires the designation of a DPO in three cases: (1) where the processing is carried out by a public authority or body; (2) where the core activities of the organization consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or (3) where the organization’s core activities consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
The Guidance expands the following terms used above to guide organizations in determining whether they have to designate a DPO:
- public authority or body is determined under national law
- core activities means the key operations necessary to achieve the organization’s goals
- regular and systematic monitoring includes all forms of tracking and profiling on the internet, including behavioral advertising
- large scale can be determined using the following factors: number of data subjects concerned; volume of data and/or the range of different data items being processed; duration, or permanence, of the data processing activity; geographical extent of the processing activity
- special categories of data or personal data relating to criminal convictions and offences refers to the special categories of data listed under Article 9 and personal data relating to criminal convictions and offences under Article 10
A few general rules to follow in designating a DPO:
1. Accessibility. The DPO must be accessible to the data subjects, the supervisory authority, and also internally within the organization. Her contact details must be available in accordance with the requirements of the GDPR, and she must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned.
2. Skills and Expertise. The DPO’s skills and expertise should be commensurate with the sensitivity, complexity, and amount of data an organization processes. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support. The DPO should have expertise in national and European data protection laws and practices, an in-depth understanding of the GDPR, sufficient understanding of the organization’s processing operations, the information systems involved, and the organization’s data security and data protection needs. Additionally, the DPO’s personal qualities should include integrity and high professional ethics.
3. Position. The DPO must be involved from the earliest stage possible in all issues relating to data protection. In relation to data protection impact assessments (DPIAs), the GDPR explicitly provides for the early involvement of the DPO and specifies that the organization shall seek the advice of the DPO when carrying out such impact assessments.
4. Resources. The organization must support its DPO by providing her the necessary resources to carry out her tasks and access to personal data and processing operations, and to maintain her expert knowledge by providing the opportunity for continuing training. Active support of the DPO at the board level should be considered.
5. Independence. An organization must not provide the DPO any instructions regarding the exercise of her tasks, as she must be in a position to perform her duties and tasks independently. This means that DPOs must not be told how to deal with a matter, such as, what result should be achieved, how to investigate a complaint, or whether to consult the supervisory authority. Furthermore, the DPO must not be instructed to take a certain view of an issue related to data protection law. An organization should not fire or penalize the DPO for performing her tasks. And while the DPO may have other tasks and duties, the organization must ensure that these do not result in a conflict of interests.
6. Tasks. The DPO assists the organization to monitor internal compliance with the GDPR. An organization must seek the DPO when carrying out a DPIA. If the organization disagrees with the DPO’s advice, the DPIA documentation should reflect in writing the reasons why the DPO’s advice has not been taken into account.
Arent Fox’s Privacy, Cybersecurity & Data Protection group monitors developments in data protection field. If you have any questions, please contact Sarah L. Bruno, Eva J. Pulliam, Lourdes M. Turrecha, or the Arent Fox professional who usually handles your matters.