Image
The DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”This is supported by Recital 97:
“a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. … in an independent manner.”I have had the pleasure of working with many longstanding data protection officers (the old flavour) over the last 20 years. There has been data protection legislation since the early 1990s. These individuals should be the natural choice, but the spin merchants have been consistently pedalling the notion that over 75,000 DPOs will be required worldwide. Are all the existing DPOs immediately redundant? I think not. You cannot become an “expert” in a law that is yet to be in force overnight. But you can be an expert in the “practice” of existing “data protection law,” and that is what GDPR requires. GDPR also proscribes that the DPO must maintain her/his expert knowledge. Experience is certainly one way of having done so. Given that GDPR is very focussed on evidence-collection in order to prove compliance, undertaking a GDPR Practitioner course would be a good (though not mandated) option. Taking a law degree might be a step too far. Nonetheless, there should be an agreed upon mechanism for measuring the skills and abilities of DPOs – ASAP! In the information security world, we have been tackling this through the existence of a longstanding Common Body of Knowledge (CBK) and the creation of a competency assessment framework approach through awarding bodies, such as the Institute of Information Security Professionals (ISSP), the BCS – The Chartered Institute for IT, and APMG. The International Association of Privacy Professionals (IAPP) would be the natural equivalent for DPOs. However, as with many areas of qualification within the information space, there is already noise, confusion, duplication and complexity – much of which will confuse both recruiters and organisations alike. The intent of the regulation is for a wider adoption of the requirements and expectations for personal privacy afforded to individual data subjects. Therefore, more organisations should undertake serious consideration(s) with regard to their data collection, use, handling, storage, processing, sharing etc. For many younger organisations for whom this approach is new, it may be extremely challenging to find an existing employee who satisfies the prerequisite requirements of being a DPO. (Repeat after me – expert knowledge of data protection law and practices.) This may mean that such organisations have to engage outside consultants, at potentially significant expense, to fulfil this role. To return to our theme – whilst the Directive does not offer DPOs any special protection, murder is unlikely! The DPOs independence is taken seriously, as the GDPR expressly prevents dismissal or penalty of the DPO for performance of their tasks and places no limitation on the length of tenure. Therefore, a DPO cannot be liable under the GDPR. Consistent with the controllers’ and processors’ obligation of accountability under the GDPR, they are the ones that carry responsibility and, therefore, liability for non-compliance under the GDPR. An organisation should not be able to take disciplinary action against a DPO nor can they terminate the DPO's employment merely because the DPO makes life harder for the organisation. If an organisation could do so, it would leave the DPO unable to act in a truly independent manner. Thus, an organisation cannot instruct the DPO in the performance of their duties, which include “secrecy or confidentiality” as detailed under Article 38(5) which could potentially create a conflict for a DPO. Consequently, many organisations choose to engage an outside consultant as a DPO. The GDPR is silent on whether individuals, or professional firms acting as a DPO, can be subject to criminal, administrative and corporate liabilities. In other compliance areas, such as competition, anti-corruption and export control laws, compliance officers which take on roles that are broadly similar to DPOs are not subject to individual liabilities of any nature, except in cases of wilful misconduct, gross negligence or breach of company policies or applicable law, just as any other employee would be. Indeed, personal liability of the DPO would be inconsistent with their role under the GDPR as advisor to the controller or processor. Consistent with the controllers’ and processors’ obligation of accountability under the GDPR, it is the controllers or processors that are the decision-makers and that bear ultimate legal responsibility and liability for non-compliance under the GDPR. DPOs may be subject to national offences. However, it is unlikely that, in practice, the DPO would be designated as an officer or a director of a company in the same way that the CEO and CFO would be. Nonetheless, those of us in independent consultancy roles providing “DPO as a service” will no doubt see expectations for increased personal and professional liability insurance in the coming months. What protection would the designated professional membership body provide for an individual member? This is an area of professionalism in the information space that has yet to be effectively tackled. But I wonder – is there a future world in which DPOs will exist under the umbrella of Compliance Officers? Wouldn’t that be more logical? Leaving the dance floor with more questions than answers. :(
Image
