The General Data Protection Regulation (‘GDPR’), which will apply from 25 May 2018, contains rules on data protection. The Data Protection Officer (‘DPO’) can play a key role in many organisations in terms of compliance with the GDPR. Below you will find more information about the designation, position and tasks of the DPO and some practical tips for your organisation.
The DPO is not a new concept. In the Dutch Personal Data Protection Act (‘Wbp’) the DPO already occurs and several organisations in the Netherlands already employ an DPO.
An important difference with the Wbp is that in the GDPR different categories of organisations are required to appoint an DPO. Under the Wbp, the appointment of an DPO is only on a voluntary basis. In addition, the provisions concerning the tasks and powers of the DPO under the GDPR have been expanded considerably.
Under the GDPR, organisations are obliged to appoint an DPO:
- where processing is carried out by a public authority or body;
The GDPR does not contain any definition of the term ‘public authority’ or ‘public body’. Whether such an authority exists must therefore be determined on the basis of national laws and regulations. This may include, for example, the national government, provinces, municipalities, but also the National Institute for Public Health and the Environment (RIVM) and the Netherlands Institute for Social Research (Sociaal en Cultureel Planbureau).
- when the controller or the processor mainly carries out processing operations that, due to their nature, size and/or purposes, require regular and systematic large-scale observation of data subjects;
This category includes other organisations involved in profiling and monitoring individuals on the Internet, for example for displaying advertisements based on Internet use. The number of persons being monitored, the length of time for which they are monitored and the amount of data processed by the organisation of these persons are relevant here.
- where the data controller or processor mainly carries out large-scale processing of special personal data or personal data relating to criminal convictions and offences
Healthcare institutions, for example, fall into this category because they often process special personal data – namely medical data – on a large scale. Some healthcare institutions have already been obliged to appoint an DPO since 1 July 2017 on the basis of the ‘Decree on Electronic Data Processing by Healthcare Providers’.
The DPO should be designated on the basis of its professional qualities and its expertise in data protection law and practice. The level of knowledge required will vary from organisation to organisation and will depend on the sensitivity, complexity and quantity of personal data processed by the organisation concerned. Knowledge of the sector and the organisation concerned is also recommended.
- The DPO shall perform the following tasks:
- informing and advising the organisation on its obligations under the GDPR;
- supervising compliance with the GDPR and with the organisation’s policy with regard to the protection of personal data;
- assigning responsibilities within the organisation and raising awareness and training of the personnel involved;
- provide advice on a possible DPIA on request and supervise its implementation;
- cooperate with and act as contact point for the Personal Data Authority (Dutch supervisory authority).
It is important that the DPO is involved at an early stage in matters relating to the protection of personal data within the organisation. The GDPR even explicitly requires this when it comes to carrying out data protection impact assessments (‘DPIA’). The DPO must also be consulted immediately if a data breach has occurred.
In addition, it is important that the DPO has sufficient resources at its disposal to fulfil its tasks. This includes support in terms of financial resources, time, facilities and personnel.
The DPO must also be able to perform its tasks within the organisation with sufficient autonomy. This means that he may not receive instructions about the result to be achieved or about taking a particular position. He must not be dismissed or punished for the performance of his duties.
Finally, the DPO can be either a staff member of the organisation or carry out its tasks on the basis of a service contract. Whether or not the DPO is employed by the organisation, its tasks should in any case not give rise to conflicts of interest.
Tips & tricks
Now that it is clear what position the DPO occupies within an organisation and what its tasks and powers are, here are some practical tips & tricks. Some of these have been taken from the Guidelines on Data Protection Officers published by the Article 29 Working Group (European Regulators).
- Job profile
If you have not yet appointed an DPO, it is wise to first get a good idea of the sensitivity, complexity and amount of personal data that are processed within your organisation. In this way, you will know what level of knowledge is required and you will be better able to decide whether someone within your own organisation can take on this role or whether you want to attract someone from outside. Depending on the size and structure of your organisation, it may even be necessary to appoint an DPO team (DPO with staff).
- Voluntary appointment
If you are not required to appoint an DPO, it may still be wise to appoint a person within your organisation who is responsible for ensuring proper compliance with data protection laws and regulations. In order to prevent your organisation from being bound by the rules in the GDPR regarding the role and position of the DPO, we recommend that the person in question should not be called an DPO, but should be given a different job title.
- Internal rules on conflicts of interest
If DPO’s function is to be performed by someone who also performs other work, it is wise to draw up internal rules in advance in order to prevent possible conflicts of interest as far as possible.
- Processing register
Most organisations are obliged under the GDPR to keep a so-called register of processing activities. Maintaining this register is not one of the DPO’s specific tasks, but that does not alter the fact that this task can be transferred to the DPO. The establishment and maintenance of this register will help the DPO to monitor compliance with the GDPR.
- Sufficient resources
Ensure that the DPO has sufficient autonomy and resources to carry out its tasks. Also invite him to attend meetings on a regular basis and ensure that he can receive regular refresher training.
- Recording of advice
The opinion of the DPO should always be given an appropriate value. However, this does not detract from the fact that the organisation itself remains responsible for compliance with the GDPR. In the event of differences of opinion between the DPO and the organisation, it may be wise to record why the DPO’s advice has not been followed.
- Passing on contact details
Finally, please note that the DPO’s contact details must be included in your privacy statement and passed on to the Personal Data Authority.