Appointment of Data Protection Officer Under General Data Protection Regulation (GDPR)

By Naima Zohair
Assistant Manager – Global Strategy
CRI Group

There is the growing misconception surrounding the need for appointing a Data Protection Officer (DPO) under GDPR which is effective on 25th May 2018. The role of DPO is critical for correct implementation of the newly drafted regulation. Relating to this, the organization needs to ask itself four main questions before appointing a DPO which are:

  1. Do they even need to appoint a DPO?
  2. Should they need a DPO anyway for safe measures of compliance?
  3. Can the role of DPO be outsourced?
  4. Will the DPO be personally liable?
  5. When should a DPO be appointed?

I will start by answering the first question. According to article 37(1), GDPR requires data controllers and processors to designate a DPO in any case where:

  • The processing is carried out by a public authority or body;
  • The ‘core activities’ of the controller/ processor consist of processing operations which ‘require regular and systematic monitoring of data subjects on a large scale’; or
  • The core activities of the controller/ processor consist of processing on a large scale of ‘special categories of data’ or personal data relating to criminal convictions and offenses.

As per the definition, private sector companies will not need to appoint a DPO. Majority of the private companies do not engage in monitoring of personal data, therefore in their course of administration, they will not need a DPO. For ready and seamless implementation of the three criteria stated above guidance of Article 29 of Working Party Guidelines on DPO’s issued in 2016 and then 2017 can be sought so that correct measures are taken.

The second question of whether DPO is needed anyway for safe measure of compliance can be answered by making use of Article 37(5) which basically lays down the requirements and puts an organization under obligation to appoint someone which has adequate knowledge of data protection law and practices, in short, the qualification required for appointment of DPO. Generally, there may be someone who will be fulfilling the role of DPO to be required to meet the standard under GDPR for compliance under Article5(2). The Guidelines also suggest that the knowledge must commensurate with experience, complexity and sensitivity of data with expertise in European data protection laws and with in-depth GDPR knowledge.

It is important to note that the actual role of DPO will be different from that of a normal employee or a contractor in that case as DPO are independent species not bound by the administration and are to operate freely out of their will. This means that they cannot be assigned task or instructed to do tasks assigned by the CEO or the central administration. The level of impartiality needs to be maintained separately from the organization so there is no corruption and biasedness in the process of compliance structure when adhering to the GDPR regulation.  In line with this the DPO’s employment status is protected under Article 38(3) of the GDPR, which means they cannot be dismissed or be sanctioned by the organization from performing or not performing tasks. Therefore, the appointment of a DPO will be a critical juncture in the implementation of GDPR as this will determine the future of compliance standards set and met in the organization.

Can the role of DPO be outsourced? This is answered under the Article 37(6) of the GDPR which makes it simplistically clear that DPO can be an employee or a contractor. Giving the concerns and apprehensions raised in the above paragraph, many experts in the field of compliance are of the opinion such role needs to be outsourced, rather than being in-house. However, there is no straightforward answer and depends on the requirement and load of the organization compliance setup. The DPO needs to be involved as per the regulation in a “proper and timely manner, in all issues which relate to the protection of personal data”. The Guidelines state that controllers and processors must develop data processing guidelines or programmes that set out when can the DPO be consulted. If this method is conducted, organizations can perform much productively and meet their compliance goals.

Is DPO personally liable? The Working Party Guidelines state that DPO will not be personally liable in case of noncompliance with GDPR. However, the GDPR text is silent on the issue of liability and the text does not say much and is in fact silent on this. DPO’s will need to be cautious regardless.

Organizations need to decide on the appointment of the DPO and who will be the best one for their need. For this, they must conduct their background screening through tools and finalize candidate fit for this role so that it sits well with the newly identified governance structure of the organization. Using appropriate background checks will ensure that Data Protection Officers skills are identified before the finalization of the job. Ultimately what is a better fit for the business, will be determined by the decision-making heads of the organization as the time is shrinking. Consensus on DPO is the need of the hour.