After four years of preparation and debate the General Data Protection Regulation (GDPR) was finally approved by the EU Parliament on 14 April 2016. The Regulation was adopted and published on 27 April 2016 and will be enforceable on and from 25 May 2018. The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU) whilst addressing the export of personal data outside the EU. It regulates the EU citizen data in every part of the world and in every organization processing or storing an EU Citizen’s data.
The EU GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
This new law will have a profound impact on the operational and control environment of the organisations, not only within EU but also within the organisations based outside the EU including India. It extends the scope of EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations.
However, in some areas, the precise interpretation of the GDPR remains unclear, and businesses therefore face uncertainty in terms of their compliance obligations. To address this issue, the GDPR is supplemented by guidance issued by the Article 29 Working Party (WP29), an advisory body made up of representatives of the national Data Protection Authorities of each EU Member State.
Provision for Data Protection Officer (DPO)
The GDPR has a mandatory provision for the appointment of Data Protection Officer by pertinent organisations. The role of Data Protection Officer (DPO) is an important GDPR innovation and a cornerstone of the GDPR’s accountability-based compliance framework. In addition to supporting an organisation’s compliance with the GDPR, DPOs will have an essential role in acting as intermediaries between relevant stakeholders e.g., supervisory authorities, data subjects and business units within an organisation.
All organisations who will be required by the GDPR to appoint a DPO should do this as soon as possible and well in advance of May 2018. With the authority to carry out their critical function, the Data Protection Officer will be of pivotal importance to an organisation’s preparations for the GDPR and meeting the accountability obligations.
A DPO may be a member of staff at the appropriate level with the appropriate training, however, GDPR also provides for an option of an external DPO who will be shared by a group of organisations.
It is important to note that DPOs are not personally responsible where an organisation does not comply with the provisions of GDPR. The GDPR makes it clear that it is the Controller or the Processor of the organisation who is required to ensure and to be able to demonstrate that the processing is in accordance with the GDPR. Data protection compliance is ultimately the responsibility of the Controller or the Processor.
Who needs a DPO
For the first time Data Controllers as well as Data Processors are required to appoint a Data Protection Officer in three situations as per Article 37(1) of the GDPR.
Where the processing is carried out by a public authority or body
Any organisation that is a public authority or a public body must appoint a DPO. However, the GDPR does not define the expression ‘public authority or body.” Rather, the GDPR leaves it to each EU Member State to determine which organisations are public authorities and public bodies. Where a private business performs outsourced public functions on behalf of a public authority or a public body, the WP29 recommends that such business should appoint a DPO, not merely in relation to those outsourced public functions, but also in relation to all of the other data processing activities of that business, including processing activities that are unrelated to the outsourced public functions.
Where the core activities of the Controller or the Processor comprise processing operations, which require regular and systematic monitoring of data subjects on a large scale
Under this provision companies whose primary activities involve processing personal data on a large scale for the purposes of behavioural advertising, online tracking, fraud prevention, detection of money laundering, administering loyalty programs, running CCTV systems, monitoring smart meters etc., will be caught by the DPO requirement. Core activities can be defined as the key operations necessary to achieve an organisation’s (Controller or Processor’s) goals. For example, a private security company which carries out surveillance of private shopping centres and/ or public spaces using CCTV would be required to appoint a DPO as surveillance is a core activity of the company. On the other hand, it would not be mandatory to appoint a DPO where an organisation undertakes activities such as payroll and IT support, as while these involve the processing of personal data, they are considered ancillary rather than core activities.
Where the core activities of the Controller or the Processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences
Article 37(1)(b) and (c) requires that the processing of personal data be carried out on a large scale in order for the designation of a DPO to be triggered. Article 37(1)(c) addresses the processing of special categories of data pursuant to Article 9, and personal data relating to criminal convictions and offences set out in in Article 10.
Article 37(5) of the GDPR provides that a Data Protection Officer shall be designated on the basis of professional qualities, and in particular, expert knowledge of data protection law and practices, and the ability to fulfil the tasks referred to in Article 39.
“It is important to note that DPOs are not personally responsible where an organisation does not comply with the provisions of GDPR. The GDPR makes it clear that it is the controller or the processor of the organisation who is required to ensure and to be able to demonstrate that the processing is in accordance with the GDPR. Data protection compliance is ultimately the responsibility of the controller or the processor”
The GDPR does not define the professional qualities required, or prescribe the training a DPO should undergo to be qualified to undertake the role. This allows organisations to decide on their DPO’s qualifications and training tailored to the context of the organisation’s data processing.
The appropriate level of qualification and expert knowledge should be determined according to the personal data processing operations carried out, the complexity and scale of data processing, the sensitivity of the data processed and the protection required for the data being processed.
Position of the DPO
- Article 38 of the GDPR provides that the Controller and the Processor shall ensure that the DPO be involved properly and in a timely manner in all issues which relate to the protection of personal data. It is crucial that the DPO is involved from the earliest stage possible in all issues relating to the data protection. In relation to data protection impact assessments, the GDPR explicitly provides for the early involvement of the DPO and specifies that the Controller shall seek the advice of the DPO when carrying out such impact assessments.
- Article 38(2) of the GDPR requires the organisation to support its DPO by providing resources necessary to carry out their tasks and access to personal data and processing operations, and to maintain his or her expert knowledge. In general, the more complex and/ or sensitive is the processing operations, the more resources must be given to the DPO. The data protection function must be effective and sufficiently wellresourced in relation to the data processing being carried out.
- Article 38(3) establishes some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation. In particular, Controllers/ Processors are required to ensure that the DPO does not receive any instructions regarding the exercise of his or her tasks. Recital 97 adds that DPOs, whether or not they are an employee of the Controller, should be in a position to perform their duties and tasks in an independent manner. The autonomy of DPOs does not, however, mean that they have decision-making powers extending beyond their tasks pursuant to Article 39.
- Article 38(3) also requires that DPOs should not be dismissed or penalised by the Controller or the Processor for performing their tasks. This requirement also strengthens the autonomy of DPOs and helps ensure that they act independently and enjoy sufficient protection in performing their data protection tasks. Penalties are only prohibited under the GDPR if they are imposed as a result of the DPO carrying out his or her duties as a DPO. For example, a DPO may consider that a particular processing is likely to result in a high risk and advise the Controller or the Processor to carry out a data protection impact assessment but the Controller or the Processor does not agree with the DPO’s assessment. In such a situation, the DPO cannot be dismissed for providing this advice.
- Article 38(6) allows DPOs to fulfil other tasks and duties as well. It requires, however, that the organisation ensures that any such tasks and duties do not result in a conflict of interests. The absence of conflict of interests is closely linked to the requirement to act in an independent manner. Although DPOs are allowed to have other functions, they can only be entrusted with other tasks and duties provided that these do not give rise to conflicts of interests. This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.
Functions of the DPO
Monitoring compliance with the GDPR
Article 39(1)(b) entrusts DPOs, among other duties, with the duty to monitor compliance with the GDPR. Recital 97 further specifies that DPO should assist the Controller or the Processor to monitor internal compliance with this Regulation. Monitoring of compliance does not mean that it is the DPO who is personally responsible where there is an instance of non-compliance. The GDPR makes it clear that it is the Controller, not the DPO, who is required to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation (Article 24(1)). Data protection compliance is a corporate responsibility of the data Controller, not of the DPO.
The DPO’s role in a data protection impact assessment
According to Article 35(1), it is the task of the Controller, not of the DPO, to carry out, when necessary, a data protection impact assessment (DPIA). However, the DPO can play a very important and useful role in assisting the Controller in the job. Following the principle of data protection by design, Article 35(2) specifically requires that the Controller shall seek advice of the DPO when carrying out a DPIA. Article 39(1)(c), in turn, tasks the DPO with the duty to provide advice where requested as regards the DPIA and monitor its performance.
Article 39(2) requires that the DPO have due regard to the risk associated with the processing operations, taking into account the nature, scope, context and purposes of the processing. This article recalls a general and common-sense principle, which may be relevant for many aspects of a DPO’s day-to-day work. In essence, it requires DPOs to prioritise their activities and focus their efforts on issues that present higher data protection risks. This selective and pragmatic approach should help DPOs advise the Controller what methodology to use when carrying out a DPIA, which areas should be subject to an internal or external data protection audit, which internal training activities to provide to staff or management responsible for data processing activities, and which processing operations to devote more of his or her time and resources to. Article 24(1) provides that taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary
“ The GDPR does not define the professional qualities required, or prescribe the training a DPO should undergo to be qualified to undertake the role. This allows organisations to decide on their DPO’s qualifications and training tailored to the context of the organisation’s data processing .”
The DPO’s role in recordkeeping
Under Article 30(1) and (2), it is the Controller or the Processor, not the DPO, who is required to maintain a record of processing operations under its responsibility or maintain a record of all categories of processing activities carried out on behalf of a Controller.
“The DPO will have professional standing, independence, expert knowledge of data protection, and to quote the GDPR, be ‘involved properly and in a timely manner’ in all issues relating to the protection of personal data “
In practice, DPOs often create inventories and hold a register of processing operations based on information provided to them by the various departments in their organisation responsible for the processing of personal data. This practice has been established under many current national laws and under the data protection rules applicable to the EU institutions and bodies. Article 39(1) provides for a list of tasks that the DPO must have as a minimum. Therefore, nothing prevents the Controller or the Processor from assigning the DPO with the task of maintaining the record of processing operations under the responsibility of the Controller. Such a record should be considered as one of the tools enabling the DPO to perform its tasks of monitoring compliance, informing and advising the Controller or the Processor.
By : Puneet Bhasin
Advocate, Cyber Laws Expert, Founder – Cyberjure Legal Consulting