The European Privacy Recruiter's Blog
Question 1 - Which private sector organizations must appoint a DPO?
Any EU-based company where core activities consist of personal data processing which
Check out the GDPR Appointment Decision Tree! (Click arrow to read some food for thought) Further clarification would be helpful around the definition of ‘monitoring’ , 'core activity' and ‘large scale’.
Question 2 - What are the tasks of a DPO?
(Click arrow to read some food for thought) The first 3 tasks are quite clear. Subsequent tasks are about the DPO’s interaction with the external world. It is particularly interesting to see that two bullet points have been dedicated to the DPO's interaction with the DPA. Speaking of the the DPO-DPA cooperation; how does this cooperation look like? Is the DPO expected to respond to inquiries in full transparency, for example? This reminds us about the fragile balance a DPO must keep in his/her relationships with the employer and local authority. The text reads as if the DPO will directly interact with the with data subjects. Where a company has thousands of employees and customers, the DPO may be bombarded with inquiries. It is essential for the DPO to find a sustainable way to manage all of these; particularly when the individuals request to exercise their rights and the company has only limited time to respond. The CPO and the DPO – is it the same thing? There are some similarities but yet they are different. The Chief Privacy Officer is the C-level executive in an organization in charge of the strategic management of a corporate privacy program (e.g. defining the organization’s privacy vision, developing a strategy and selecting the right governance model), developing and implementing a framework suitable for the entire organization, and finally the performance management of this compliance program. The European DPO role as described in the Regulation seems to be more operational than this. They can co-exist within the same Global Privacy Office which is led by the CPO and composed of a core team of specialists and a bigger team of generalists spread across the organization. Specialists (a ‘centre of expertise’ ) develop policies, procedures and tools applicable across the whole organization and generalists (e.g. regional privacy managers, local DPOs) act as trusted advisors to their business lines ensuring that the field practices are compliant to corporate standards and the applicable laws, including and foremost with the Regulation. Question 3 - What are the qualities of a DPO?
You must designate a DPO on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks above. (Click arrow to read some food for thought) In any recruitment process, the ideal candidate requirements are a combination of hard-skills (e.g. domain knowledge, work experience and languages) and soft-skills (leadership, communication, negotiation) which all together form the set of qualities to perform the job. It is no different for the DPO role. The Regulation does not list all the qualities but gives a few examples, such as the type of knowledge and the ability to perform the tasks. So, what is about the knowledge? Our DPO must be knowledgeable about the data protection law. In our view, this cannot be limited to the Regulation as there are other privacy-related EU regulations and Member State laws where there is an interaction with the Regulation (e.g. telecom laws, employment laws). This view is strengthened with one of the DPO tasks which is “to monitor compliance with the Regulation and EU or Member State privacy provisions…” Knowing laws is not enough. Our DPO also needs to know about the operational aspects. These would include privacy practices such as impact assessments, handling data subject’s requests, employee monitoring, vendor contracts and breach management. What is the ‘level’ of knowledge should we expect from our DPO? The Regulation asks us to seek ‘expert’ knowledge. However, looking at the Recitals, we understand that it is up to the company to define the level of expertise in relation to the type of processing and the level of protection it requires. This would mean that companies which face greater risks (because they are data-driven or they process sensitive data or they rely heavily on outsourcing, for example) must look for someone who has a high level of expert knowledge in law and practices. On the other hand, if the processing is limited in type, scale or geography, then it could be fine to appoint someone who has a lower level of expert knowledge. The use of word ‘expert’ here is very confusing as it - by default - refers to somebody who is very knowledgeable. But you’ve got the point; you need to decide on the level of expertise you need from a DPO. Another listed quality here is the ‘ability to fulfill the tasks’. Which skills can enable a person to fulfill all the listed tasks? Obviously, one’s domain knowledge and previous similar experience would definitely enhance this ability. However, there are other qualities which are equally important to perform the job well. We are looking for a professional with superb interpersonal skills who can interact with all levels of an organization; an approachable person who enjoys sharing knowledge but at the same time knows when to make his/her point clear; someone who is able to work in a structured way and under minimum supervision, good in risk-assessment, strong PR skills, good command of languages (as the DPO is expected to be in direct communication with data subjects and the DPAs), and finally someone tactful to find the fine balance between a trusted advisor and an internal watchdog. Question 4 - Can an existing employee be assigned as the company’s DPO?
Yes. However, you must ensure that other professional duties of this employee must be compatible with his/her new duties as DPO and do not result in a conflict of interests. (Click arrow to read some food for thought) This provision tells us that the DPO job can be done on a part-time basis. Once you have defined your ideal candidate profile, scan your organization to see whether any of your employees meet the criteria and have a little chat to confirm the person’s interest for a full-time DPO job. If the decision is not to create a full-time headcount but to give the DPO tasks to an existing staff member, there are a couple of points you need to pay attention. The first one is the proper estimation of the DPO’s workload with tasks ranging from advising to monitoring, training and interactions with the external world. The job can even get heavier if we speak of a large organization with various business lines and services. Are you sure all of this can be done with a part-time resource? Secondly, you need to make sure that the person’s DPO tasks will not conflict with his/her regular function. Which functions are not compatible with the DPO tasks and may create a conflict of interest? These could be the ones which are typically related to the ‘monitoring’ task of the DPO; functions either too close to the data flows and processing (e.g. HR, Marketing, Product Development, Vendor Management), the ones which are responsible for information security systems (e.g. IT, InfoSec) or a function which by nature require defending corporate interests (e.g. Legal). If you cannot find the right DPO profile from within the organization, you will need to recruit a good DPO externally. Question 5 - Could a single DPO be appointed for a group of companies?
Yes. A group of undertakings may appoint a single DPO provided that the DPO is easily accessible from each establishment. (Click arrow to read some food for thought) If an organization has 5 legal entities in Belgium, it is straightforward to find a DPO who has the skills as above. The challenge arises when a company decides to appoint a single DPO across multiple countries. Although the Regulation in principle replaces national data protection laws, some local differences will remain. These differences can be found in local laws other than data protection, in DPA reflexes and in the expectations of the citizens. Moreover, we expect the DPO to be the face of the company to the external world (DPAs and data subjects) and this task will require local language skills. Therefore, make sure your DPO has the necessary skills to address these local differences while performing tasks across different Member States. The dream solution would be to appoint a DPO per country but given the budgetary challenges in our community, it remains a dream. Perhaps a more reasonable approach would be to group similar jurisdictions (e. g. South Europe, the Nordics) and appoint a DPO per each group. There seems to be no limitation on the base location of the DPO as long as s/he is easily accessible from each entity. By ‘easy accessibility’ we do not think that the policy-makers meant physical accessibility’ but more the easiness of reaching out to the DPO for guidance. This should not be an issue, thanks to the current communication technology. Can your DPO be based outside Europe? Answer this first: Can your DPO really build a strong bond with your European business remotely? It is a brand new role. Regardless of the DPO location, it will be difficult for the rest of the organization to understand why the person is there and who s/he serves for. Keeping the person in another continent far from his/her internal clients may have a negative impact on the person’s acceptance. Plus, the DPO needs to work with the DPAs very closely and this may include last-minute meetings! This document has been prepared by DPO Network Europe for informational purposes only. The content of this document does not constitute legal advice and should not be relied upon as such. Please check with your legal counsel when in any doubt about understanding your rights and obligations in order to comply with the law and regulations. Comments are closed.
|