The Data Protection Officer
The General Regulation on Data Protection, which will be applied directly in all EU states on 25 May 2018, establishes a liability-based framework for data protection in Europe. Data Protection Officers will, for many organizations, be inescapable figures in this new legal framework, facilitating compliance with the provisions of the GDPR.
The primary role of the Data Protection Officers (“DPO”) is to ensure that they process the personal data of employees, customers, suppliers or any other natural person, data subject, in accordance with applicable data protection rules.
The appointment of a DPO should be based on his personal and professional qualities with special emphasis on his specialized knowledge of Law and Data Protection. A good understanding of how the organization operates is also recommended.
At this stage, we are faced with the first of many practical difficulties, since recruiting and selecting internally or externally someone with this role of competencies can, in itself, be an arduous task.
It should be noted that this difficulty on the part of the Entities that are obliged to appoint a Data Protection Officer (DPO) does not serve to justify the “non-appointment” and if they do not find the ideal person, they should identify the one that demonstrates competences most appropriate to the exercise of the duties required for Data Protection Officer.
It should also be noted that it is not mandatory for the person to perform the functions of Data Protection Officer to have the “proficiency profile” referred to in the GDPR. This “proficiency profile” is indicative only and not mandatory. It is a “proficiency profile” that facilitates the exercise of functions but is not mandatory.
The Data Protection Officer may be someone from the Data Protection Office Permanent Staff or someone outside the Data Protection Office. This possibility does not mean that the future Chargee has the obligation, as the employee of the board, to accept the performance of the duties required by the Person in Charge, which means that the Body of the Person Responsible for the Treatment of Data must “invite” and not “nominate by decree” the person who understands and is most qualified for the exercise of those functions.
It should be noted, however important, that in cases of internal appointment the hierarchical relationship will be greatly attenuated since the Data Protection Officer has to perform his functions independently. Invitation? Yes! “Proposal of mandatory acceptance”? Never!
Regarding the type of relationship that the Data Protection Officer should have with the Data Processing Officer, we understand that it is advisable to have a long-term contract, preferably for an indefinite period, so that the focus of the Manager is only on the exercise of their duties and not in the performance of their duties in the most appropriate way possible to ensure the renewal of the contract, or to “guarantee” future career development.
In order to ensure an autonomous and independent exercise of functions, we understand that future data protection officers, in addition to being able to coordinate a support team, should be responsible for the management of their own budget and equipped with the necessary means to carry out those functions. Not being dependent on a hierarchical decision to obtain means or deciding which decision to take is essential to ensure autonomy and independence and the ideal way to ultimately ensure compliance with the Regulation.
When the appointment of the DPO is done internally, it will be very convenient that at the time of the performance evaluation the Decision Maker takes into account the fact that the Data Protection Officer often has to make unpopular decisions to other department heads, to be still connoted with “problems and bureaucracy” and, to that extent, that Body should have the necessary distance to carry out a fair and objective evaluation, including creating a Performance Evaluation System that allows external entities to speak on The Keeper’s Performance.
What Companies Needs Data Protection Officers?
Proposed by the European Parliament, the European Council and the European Commission to strengthen and expedite the protection of data for citizens of the European Union, the GDPR requires the mandatory appointment of a DPO for any organization that processes or stores huge amounts of personal data, for officials, individuals outside the organization or both.
The DPOs must be “appointed for all public authorities and where the principal activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large-scale’ or where the entity performs large-scale processing of ‘special categories of “personal data”‘, as one that details race or ethnicity or religious beliefs.
In summary, both the Decision-Making Bodies of organizations and Data Protection Officers should be made aware of what the GDPR stands for, its outlines and the spirit of its standards, together establishing the ideal conditions for the success of both in accordance with the regulation.