Beware not to confuse the DPO the “Data Protection Officer” (GDPR) and the “Data Privacy Officer” (not a GDPR concept)! And the reason is that the GDPR has a very specific view of the DPO : the data Protection officier is NOT in charge of ensuring compliance with the GDPR. That’s the role of the Controller, not the DPO! Let’s clarify this important distinction, often misunderstood by businesses who designate a DPO and discover after that the need additionnal staff to ensure compliance.
Within the GDPR, the Data Protection Officer has a very specific function, which is to act independently from the Controller and ensure the GDPR is correctly implemented. The DPO belongs in a way to the control departement. He’s here to ensure the work is done properly, he’s not here to do the work in the first place. A simple way to view the DPO is to see him as an employee of a data protection authority, but paid by the Controller of course.
Why the DPO is fundamentaly independant
To understand why the DPO was created, we have to come back to the EU directive 95/46 (the directive that basically created data protection rules in Europe in 1995, before the GDPR was adopted as a regulation). This directive set the following structure :
And this is a very important paradigm because the role of the DPO in the GDPR, inherits from this. Structurally, his duties are to ensure independently that the regulation is applied in the organization, and causes no substantial risks to data subjects. The DPO is here to review the work, not to do the work in the first place!
This structure was established at a time when mostly big businesses were conducting data processing activities (in 1995…): banks, insurances, hospitals, etc. And the legislator assumed these businesses had :
There are a lot of consequences of this position :
There are 3 cases in which the appointment of a DPO is mandatory:
In all other cases, the appointment of a DPO is optional. However, it’s practically always necessary to have a person in charge of the compliance inside the organization.
Anyone who at least has taken a two days training on GDPR compliance. The training of the DPO is an obligation to be able to perform these functions.
The data protection officer shall have at least the following tasks:
In general, the DPO also assists in the creation and updating of the register of processing activities.The DPO has to perform his tasks with due regard to the risk associated with processing operations.
The Controller has a certain number of duties regarding the DPO, he has to :
The DPO does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalized by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
Data subjects may contact the data protection officer about all issues related to the processing of their data and to the exercise of their rights under this Regulation.
The DPO is bound by secrecy or confidentiality concerning the performance of his or her tasks. He may fulfill other tasks and duties however, the controller has to ensure that any such tasks and duties do not result in a conflict of interests.