Data Protection Officers
Do you process large amounts of personal data? Are you scared of terms like GDPR, ePrivacy, cookies, data breach, but you work with the data of a large number of people? Consider engaging a data protection officer (DPO).
The responsible appointment of a DPO is not just one of the obligations under the GDPR for a specific group of controllers and processors. You can also appoint a DPO on a voluntary basis. In both cases, the right choice can save you a lot of money and nerves.
What is the DPO about?
DPO is a data protection professional who will advise you on how to deal with the matters of GDPR and other data protection regulations. DPO will be your “liaison officers” when dealing with the Data Protection Authority.
Will the Data Protection Officer solve all the problems for you? No, but he or she will help you get oriented, identify weak points, and find the right solution to any shortcomings!
Who is obliged to appoint the DPO?
Under the GDPR, the following must appoint the DPO:
- public authorities or bodies, e.g. municipalities, schools, state authorities, etc.
- persons who as core activity carry out regular and systematic monitoring of data subjects on a large scale, e.g. banks, telecommunications operators, etc.
- persons whose core activities consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences, e.g. hospitals, social welfare institutions, etc.
However, any other controller or processor processing personal data may also appoint a DPO. In any case, the appointment of the data protection officer must be notified to the Data Protection Authority.
Data transfer outside the EU
Do you move large amounts of data outside the European Union? So-called data transfers are always risky. The DPO will help you to comply with all regulations.
Do you provide online services?
Online services usually process a large amount of data. Such processing is also often subject to controls by supervisory authorities. The DPO will help you to pass such control unscathed.
Do you process health or other sensitive data?
A data breach concerning such data can be devastating to your business’s reputation. The DPO can help you set up appropriate security measures to reduce the risk of leakage.
When does DPO pay off?
- when you are obliged to appoint a DPO
- when you carry out extensive processing of personal data
- when you want to gain an advantage over your competitors
- when you want to act in a socially responsible manner
- when you don’t want to pay fines for breaches of the GDPR or compensation to data subjects for breaches of your obligations under the GDPR
What are the basic tasks of the DPOs?
- advise “their” controller or processor on their obligations under the GDPR and other data processing legislation
- monitor compliance of the activities carried out with the GDPR and other regulations
- provide support in the processing of a data protection impact assessment under Article 35 of the GDPR
- cooperate with the Data Protection Authority, whether in the context of inquiries, consultations or inspections
- can be a single point of contact for people whose data you process.
What to expect from the DPO?
You can expect your DPO:
- being a professional with broad expertise
helping and advising you
having a thorough understanding of your business and the personal data processing that take place there
to further educate himself/herself in the field of data processing matters
discussing and defending his/her point of view with you needing access to your leadership
performing his/her role independently
carrying out preventive controls
helping you to develop internal processes and regulations cooperating closely with your other staff, especially those involved in compliance and IT security
What not to expect from the DPO?
Don’t expect that:
- DPO will always agree with you
- appointing DPO will take all the worry out of GDPR. The DPO will help you but will not solve all the problems for you. Ensuring proper processing of personal data and compliance with GDPR is a never-ending process that must involve your entire organisation and is primarily the responsibility of the so-called data controller, i.e. your business or institution
- that you will never hear from the DPO. On the contrary, it is the role of the Data Protection Officer to alert you to problems and help you find the right solutions
- that the formal appointment of a Data Protection Officer will save you from fines or negative publicity
Internal or external DPO?
The GDPR does not prefer either form of DPO. The DPO must first and foremost be good in the matters of data protection and sufficiently independent.
There are advantages to both types of DPO. An in-house DPO may find it easier to get to know your operation, an external DPO may have more insight and may have more experience due to working for multiple controllers and/or processors. It always depends on the particular circumstances of your business or institution as to which option is better.
However, the DPO should not, under any circumstances, perform other tasks for you that could lead to a conflict of interest. If the DPO is an employee, he or she should not determine the manner and means of data processing. Thus, the internal DPO (employee) may be your lawyer, for example, but should not perform a managerial function for you, typically, for example, the IT director or the HR director. The external DPO should not provide IT services, bookkeeping or supply IT systems etc. for you.
You don’t have to have just one DPO, the DPO can work with the whole team to deliver its service for you. However, you can share your single internal DPO. For example, a single DPO can be active for several municipalities or group of companies. It always depends on the context of your activity.
Always avoid engaging the DPOs only formally and at the lowest possible cost. Such a DPO will not be of any help to you and may cause you considerable inconvenience if they give you incorrect advice or neglect their duties.
Did you know that you can be fined up to €20 million for violating GDPR?
While fines for breaches of the GDPR in the public sphere may not be possible in some cases, failure to ensure data protection can lead to class action lawsuits from affected data subjects whose data you incorrectly process, and may be a breach of the managerial duty of care.
How our association can help your DPO
The European Federation of Data Protection Officers (EFDPO) is a European network of national associations of data protection and privacy officers. Our mission to establish a European representation of interests for DPOs as a partner of institutions such as the European Commission, the European Parliament, the Council of the European Union, the European Data Protection Board and national data protection authorities. In doing so, the EFDPO aims to strengthen data protection as a competitive and locational advantage for Europe.
We see data protection officers as key experts in companies and institutions, they ensure the entrepreneurial capacity to act under the GDPR and, at the same time, ensure that consumer and civil rights are observed with regard to data protection. This also relieves the burden on national data protection supervisory authorities.
The EFDPO was founded in Berlin on 7 June 2019. Founding members were national associations for data protection officers from Austria, France, Germany, Portugal, the Czech Republic, Slovakia, Greece and Liechtenstein. Today EFDPO represents 12 member associations from European Union and other countries. Find out more about EFDPO membership.