DPO Network Europe | Specialists in European Privacy Recruitment
  • In-house Privacy Recruitment
    • Clients | Expertise | Markets
    • Submit privacy vacancy
  • Contract privacy recruitment
    • Clients | Expertise | Markets
    • Submit privacy assignment
  • EU GDPR & DPOs
    • FAQs
    • DPO Appointment Decision Tree
  • Resources
  • About us
    • Contact
    • The Privacy Recruiter's Blog

The European Privacy Recruiter's Blog

Dissecting the EU GDPR DPO requirement, some food for thought! (Part 1)

18/1/2016

 
Previously we have provided an FAQ document on the mandatory appointment of Data Protection Officers (DPOs) which comes as a new obligation to certain private sector companies. In this blog, we would like to go a little bit into the detail and share thoughts. For any comments or feedback, please feel free to write us at info(at)dponetwork.eu.
Question 1 - Which private sector organizations must appoint a DPO?

​Any EU-based company where core activities consist of personal data processing which 
  • Requires regular and systematic monitoring of individuals on a large scale; or
  • Is about special categories of data on a large scale and data relating to criminal convictions and offences. “Special categories of data” is the type of data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; genetic data, biometric data or data concerning health or sex life and sexual orientation.
And, non-EU companies which are subject to the regulation (offerings goods/services to Europeans or monitoring their behaviour) and where above appointment criteria apply. ​

Check out the GDPR Appointment Decision Tree!

(Click arrow to read some food for thought)
Further clarification would be helpful around the definition of ‘monitoring’ , 'core activity' and  ‘large scale’.
  • The concept of ‘core activity’ needs clarification. The Recital states that in the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities. Do we need to interpret 'primary activities' as the ones which are revenue generating, and then any other corporate activity which backs up the real business is ancillary? (e.g. HR, IT activities) Note that some of these activities do deal with intensive personal data processing.
  • ​Monitoring is a big word and it can mean a lot of things. The only explanation we could find was in the Recital (#24). However, this explanation has been provided within the context of extra-territorial impact of the Regulation and it is helpful only to understand what constitutes 'behaviour monitoring'. The DPO provision speaks of 'monitoring of individuals' and it is difficult to understand why they particularly used the word monitoring instead  of simply saying ' ..regular, systematic, large scale data processing...'.​​​
  • In the Recital (#91), the term ‘large scale’ is defined as ‘considerable amount of personal data at regional, national or supranational level’, ‘data of large number of data subjects’ What is ‘large’ really? If we have 10k data subjects, is this a large enough number? If we are dealing with sensitive data and we have only 100 data subjects; is this not large enough?
In the light of all above; if a company's processing indeed falls under one of the criteria, it may still not have to appoint a DPO if it can demonstrate that its processing activities are not “core” to the business.
Question 2 - What are the tasks of a DPO?​
​
  • To inform and advise the organization and staff of their obligations as per the regulation and other regional/local privacy provisions;
  • To monitor compliance with the regulation, other regional/local privacy provisions and with the internal privacy policies of the organization. This includes assignment of responsibilities, awareness-raising and training of staff and audits;
  • To provide advice on privacy impact assessments and monitor how it’s performed;
  • To cooperate with the supervisory authority;
  • To act as the organization’s contact point for the supervisory authority on issues related to the processing of personal data, including the prior consultation;
  • To respond to individuals whose data is processed (employees, clients and similar) on all issues related to the processing of their data and the exercise of their rights under the regulation.
​
​
(Click arrow to read some food for thought)
The first 3 tasks are quite clear. Subsequent tasks are about the DPO’s interaction with the external world. 

It is particularly interesting to see that two bullet points have been dedicated to the DPO's interaction with the DPA.

​Speaking of the the DPO-DPA cooperation; how does this cooperation look like? Is the DPO expected to respond to inquiries in full transparency, for example? This reminds us about the fragile balance a DPO must keep in his/her relationships with the employer and local authority.
 
The text reads as if the DPO will directly interact with the with data subjects. Where a company has thousands of employees and customers, the DPO may be bombarded with inquiries. It is essential for the DPO to find a sustainable way to manage all of these; particularly when the individuals request to exercise their rights and the company has only limited time to respond.
 
The CPO and the DPO – is it the same thing?

There are some similarities but yet they are different. The Chief Privacy Officer is the C-level executive in an organization in charge of the strategic management of a corporate privacy program (e.g. defining the organization’s privacy vision, developing a strategy and selecting the right governance model), developing and implementing a framework suitable for the entire organization, and finally the performance management of this compliance program. The European DPO role as described in the Regulation seems to be more operational than this.

​They can co-exist within the same Global Privacy Office which is led by the CPO and composed of a core team of specialists and a bigger team of generalists spread across the organization. Specialists (a ‘centre of expertise’ ) develop policies, procedures and tools applicable across the whole organization and generalists (e.g. regional privacy managers, local DPOs) act as trusted advisors to their business lines ensuring that the field practices are compliant to corporate standards and the applicable laws, including and foremost with the Regulation. ​​
Question 3 - What are the qualities of a DPO?
​
You must designate a DPO on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks above. ​

​
(Click arrow to read some food for thought)
In any recruitment process, the ideal candidate requirements are a combination of hard-skills (e.g. domain knowledge, work experience and languages) and soft-skills (leadership, communication, negotiation) which all together form the set of qualities to perform the job. It is no different for the DPO role.  The Regulation does not list all the qualities but gives a few examples, such as the type of knowledge and the ability to perform the tasks. 

So, what is about the knowledge? Our DPO must be knowledgeable about the data protection law. In our view, this cannot be limited to the Regulation as there are other privacy-related EU regulations and Member State laws where there is an interaction with the Regulation (e.g. telecom laws, employment laws). This view is strengthened with one of the DPO tasks which is “to monitor compliance with the Regulation and EU or Member State privacy provisions…”
​
​Knowing laws is not enough. Our DPO also needs to know about the operational aspects. These would include privacy practices such as impact assessments, handling data subject’s requests, employee monitoring, vendor contracts and breach management. 

What is the ‘level’ of knowledge should we expect from our DPO?  The Regulation asks us to seek ‘expert’ knowledge. However, looking at the Recitals, we understand that it is up to the company to define the level of expertise in relation to the type of processing and the level of protection it requires.

This would mean that companies which face greater risks (because they are data-driven or they process sensitive data or they rely heavily on outsourcing, for example) must look for someone who has a high level of expert knowledge in law and practices. On the other hand, if the processing is limited in type, scale or geography, then it could be fine to appoint someone who has a lower level of expert knowledge. The use of word ‘expert’ here is very confusing as it - by default - refers to somebody who is very knowledgeable. But you’ve got the point; you need to decide on the level of expertise you need from a DPO.
​
Another listed quality here is the ‘ability to fulfill the tasks’. Which skills can enable a person to fulfill all the listed tasks?

Obviously, one’s domain knowledge and previous similar experience would definitely enhance this ability. However, there are other qualities which are equally important to perform the job well.  We are looking for a professional with superb interpersonal skills who can interact with all levels of an organization; an approachable person who enjoys sharing knowledge but at the same time knows when to make his/her point clear; someone who is able to work in a structured way and under minimum supervision, good in risk-assessment, strong PR skills, good command of languages (as the DPO is expected to be in direct communication with data subjects and the DPAs), and finally someone tactful to find the fine balance between a trusted advisor and an internal watchdog.
Question 4 - Can an existing employee be assigned as the company’s DPO?​
​
Yes. However, you must ensure that other professional duties of this employee must be compatible with his/her new duties as DPO and do not result in a conflict of interests. 

​(Click arrow to read some food for thought)
This provision tells us that the DPO job can be done on a part-time basis. Once you have defined your ideal candidate profile, scan your organization to see whether any of your employees meet the criteria and have a little chat to confirm the person’s interest for a full-time DPO job.

If the decision is not to create a full-time headcount but to give the DPO tasks to an existing staff member, there are a couple of points you need to pay attention.

​The first one is the proper estimation of the DPO’s workload with tasks ranging from advising to monitoring, training and interactions with the external world.  The job can even get heavier if we speak of a large organization with various business lines and services. Are you sure all of this can be done with a part-time resource?
​
Secondly, you need to make sure that the person’s DPO tasks will not conflict with his/her regular function. Which functions are not compatible with the DPO tasks and may create a conflict of interest? These could be the ones which are typically related to the ‘monitoring’ task of the DPO; functions either too close to the data flows and processing (e.g. HR, Marketing, Product Development, Vendor Management), the ones which are responsible for information security systems (e.g. IT, InfoSec) or a function which by nature require defending corporate interests (e.g. Legal).
​
If you cannot find the right DPO profile from within the organization, you will need to recruit a good DPO externally
.
Question 5 - Could a single DPO be appointed for a group of companies?
​
Yes. A group of undertakings may appoint a single DPO provided that the DPO is easily accessible from each establishment.​

​(Click arrow to read some food for thought)
If an organization has 5 legal entities in Belgium, it is straightforward to find a DPO who has the skills as above. The challenge arises when a company decides to appoint a single DPO across multiple countries.

Although the Regulation in principle replaces national data protection laws, some local differences will remain. These differences can be found in local laws other than data protection, in DPA reflexes and in the expectations of the citizens. Moreover, we expect the DPO to be the face of the company to the external world (DPAs and data subjects) and this task will require local language skills. Therefore, make sure your DPO has the necessary skills to address these local differences while performing tasks across different Member States.

The dream solution would be to appoint a DPO per country but given the budgetary challenges in our community, it remains a dream. Perhaps a more reasonable approach would be to group similar jurisdictions (e. g. South Europe, the Nordics) and appoint a DPO per each group.

There seems to be no limitation on the base location of the DPO as long as s/he is easily accessible from each entity. By ‘easy accessibility’ we do not think that the policy-makers meant physical accessibility’ but more the easiness of reaching out to the DPO for guidance. This should not be an issue, thanks to the current communication technology.


Can your DPO be based outside Europe? Answer this first: Can your DPO really build a strong bond with your European business remotely? It is a brand new role. Regardless of the DPO location, it will be difficult for the rest of the organization to understand why the person is there and who s/he serves for. Keeping the person in another continent far from his/her internal clients may have a negative impact on the person’s acceptance. Plus, the DPO needs to work with the DPAs very closely and this may include last-minute meetings!
This document has been prepared by DPO Network Europe for informational purposes only. The content of this document does not constitute legal advice and should not be relied upon as such. Please check with your legal counsel when in any doubt about understanding your rights and obligations in order to comply with the law and regulations.
Blog Homepage
Part II

LOOKING TO HIRE A DPO IN EUROPE?

CALL US  at +32 (0)2 308 4286
or E-MAIL US to schedule a call


Comments are closed.
Powered by Create your own unique website with customizable templates.
  • In-house Privacy Recruitment
    • Clients | Expertise | Markets
    • Submit privacy vacancy
  • Contract privacy recruitment
    • Clients | Expertise | Markets
    • Submit privacy assignment
  • EU GDPR & DPOs
    • FAQs
    • DPO Appointment Decision Tree
  • Resources
  • About us
    • Contact
    • The Privacy Recruiter's Blog