Role and missions of the Data Privacy Officer (GDPR)

The DPO - the Data Protection Officer, is the person in charge of GDPR compliance management. Details on his functions and missions

Beware not to confuse the DPO the “Data Protection Officer” (GDPR) and the “Data Privacy Officer” (not a GDPR concept)! And the reason is that the GDPR has a very specific view of the DPO : the data Protection officier is NOT in charge of ensuring compliance with the GDPR. That’s the role of the Controller, not the DPO! Let’s clarify this important distinction, often misunderstood by businesses who designate a DPO and discover after that the need additionnal staff to ensure compliance.

I. - The DPO is not responsible for compliance

Within the GDPR, the Data Protection Officer has a very specific function, which is to act independently from the Controller and ensure the GDPR is correctly implemented. The DPO belongs in a way to the control departement. He’s here to ensure the work is done properly, he’s not here to do the work in the first place. A simple way to view the DPO is to see him as an employee of a data protection authority, but paid by the Controller of course.

Why the DPO is fundamentaly independant

To understand why the DPO was created, we have to come back to the EU directive 95/46 (the directive that basically created data protection rules in Europe in 1995, before the GDPR was adopted as a regulation). This directive set the following structure :

  • before carrying out any data processing operation an organization had to inform the supervisory authority
  • with two exceptions to that rule :
  • for certain types of processing activities that were unlikely to “affect adversely the rights and freedoms of data subjects” (no risks), no information was needed ;
  • or, in the case where the Controller had a “Data Protection Official” (at the time), who ensured independently the compliance of the processing activities to the law, no formality was needed either.

And this is a very important paradigm because the role of the DPO in the GDPR, inherits from this. Structurally, his duties are to ensure independently that the regulation is applied in the organization, and causes no substantial risks to data subjects. The DPO is here to review the work, not to do the work in the first place!

This structure was established at a time when mostly big businesses were conducting data processing activities (in 1995…): banks, insurances, hospitals, etc. And the legislator assumed these businesses had :

  • an IT team to handle the processing activities
  • a legal teams to handle the compliance
  • and therefore could easily appoint an independent official within the structure that could verify independently that everything was done according to the legislative plan

There are a lot of consequences of this position :

  1. The DPO is always independent from the Controller: he can not be sanctionned by the Controller for doing his work. He can not receive instructions from the Controller either. The DPO has to be properly informed of all processing operations (as well as have all qualifications necessary to handle compliance work).
  2. The DPO can not be liable for the Controller’s non-compliances: it is the Controller who assumes the compliance and all legal risks of his operations. The DPO is there only to verify that the work is done properly and offer a review of where the Controller is in terms of data privacy.

II. When do organizations really need a DPO?

There are 3 cases in which the appointment of a DPO is mandatory:

  1. when the controller is a public authority or a public body, with the exception of courts acting in the exercise of their judicial function
  2. when the organization’s core activities require regular and systematic tracking of people on a large scale
  3. when the activities of the organization consist of large-scale processing of health data, for example (more generally Article 9 or 10 data)

In all other cases, the appointment of a DPO is optional. However, it’s practically always necessary to have a person in charge of the compliance inside the organization.

A. - Who can be apointed as DPO?

Anyone who at least has taken a two days training on GDPR compliance. The training of the DPO is an obligation to be able to perform these functions.

B. - The Tasks of the DPO

The data protection officer shall have at least the following tasks:

  1. Inform and advise the controller or processor and the employees who carry out the processing on their obligations under this Regulation and other provisions of Union or national law. Member States on data protection;
  2. *Monitoring compliance with the GDPR, including with regard to the distribution of responsibilities, awareness and training of staff involved in processing operations, and audits
  3. Provide advice on data protection impact assessment and verify its execution under Article 35
  4. Cooperate with the supervisory authority
  5. Act as a contact point for the supervisory authority on matters relating to the processing, including the prior consultation referred to in Article 36, and carry out consultations, where appropriate, on any other matter.

In general, the DPO also assists in the creation and updating of the register of processing activities.The DPO has to perform his tasks with due regard to the risk associated with processing operations.

C. - Position of the DPO

The Controller has a certain number of duties regarding the DPO, he has to :

  • ensure the DPO is involved in all issues which relate to the protection of personal data ;
  • support the DPO in performing his tasks, by providing all necessary resources to carry out his mission as well as all access to personal data and processing operations, and tools to maintain his or her expert knowledge.

The DPO does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalized by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.

Data subjects may contact the data protection officer about all issues related to the processing of their data and to the exercise of their rights under this Regulation.

The DPO is bound by secrecy or confidentiality concerning the performance of his or her tasks. He may fulfill other tasks and duties however, the controller has to ensure that any such tasks and duties do not result in a conflict of interests.