The AEPD announced[1] this March its participation in an action with other European data protection agencies that will be focused on assessing whether organisations in various sectors of activity comply with the requirements established by the European General Data Protection Regulation, the GDPR, for the appointment of Data Protection Officers.
What are the requirements to be a Data Protection Officer?
With the entry into force of the GDPR, the figure of the Data Protection Officer (or DPO) was established as a key element in the data protection management of companies and public entities that carry out more complex data processing to ensure compliance with regulations related to the protection of personal data.
However, it is quite common for organisations to appoint a DPO without taking into account that this person cannot be just any person, but that he/she must have certain characteristics. Some of these are established by the GDPR itself, and others are implicit in the functions themselves, and have been set out in the Guidelines on Data Protection Officers (DPOs) drawn up by the Article 29 working group (the “GT 29“).
Main characteristics to be a DPO or Data Protection Officer
- Legal and technical expertise: The GDPR provides that the appointment will be made on the basis of “his or her specialised knowledge of data protection law and practice”.
Therefore, although the DPO does not necessarily have to be a lawyer, he/she must have a solid legal background and this must be specific to the field of data protection, both European and national legislation. In addition, he/she should be aware of the latest developments in this field, and have the ability to interpret and apply the law in a practical way. It is therefore advisable to have a law degree and, if possible, a specialisation or further training in data protection and privacy.
On the other hand, in the current context, it is not only necessary for the DPO to have knowledge of the law, but also technical knowledge of the technologies needed to manage data protection. The DPO must be able to understand the organisation’s IT systems and how personal data are collected, processed and stored. In this respect, he or she should be able to work with ICT professionals to develop policies and procedures that affect data protection and data security.
As for the level of knowledge, according to WG 29, this should be commensurate with the sensitivity, complexity and amount of data that an organisation processes. In addition, knowledge of the business sector and the organisation where he/she is appointed will also be useful.
- Independence:
GT 29 states that the DPO should have a “sufficient degree of autonomy within his or her organisation”. That is, the DPO should be able to act without influence from other departments or organisations, and should be able to make objective decisions regarding the processing of personal data that is done or intended to be done in the organisation, including, in this regard, the lawfulness or otherwise of the organisation’s practices in relation to the interpretation of the rules. Accordingly, the DPO should not be a person within the organisation who is involved in decision-making affecting processing activities (e.g. a manager).
- Analytical capacity and focus on risk:
One of the novelties of the GDPR, is that its approach is based on the degree of risk of the processing operations. Similarly, therefore, as mentioned by GT 29 in its guidelines, the DPO must be able to prioritise in order to be able to focus his or her efforts mostly on those issues or activities that present the highest data protection risks.
- Communication and conflict resolution skills:
One of the main functions of the DPO is to act as the communication link between the organisation and, on the one hand, the competent data protection authorities and, on the other hand, with data subjects who may contact the organisation either to exercise their rights or to raise privacy issues. The DPO also has the essential task of communicating the importance of data privacy compliance and the measures that must be implemented to ensure data protection to all members of his or her organisation. For this reason, it is important that the DPO has communication skills to be able to convey the appropriate messages at all times and depending on the interlocutor. It is also essential that the DPO has a certain ability to mediate in the resolution of conflicts, as he/she is often the one who intervenes in the case of claims and complaints from those affected by the entity’s practices that affect their privacy.
In conclusion, although the DPO has a fundamental role in organisations that process risky personal data, it is important that he or she has the aforementioned characteristics, otherwise he or she will not be able to carry out his or her functions efficiently and effectively, addressing all the issues that an organisation must observe in the field of data protection. In this regard, it should be recalled that it is up to the organisations (data controllers) to select the DPO in accordance with the provisions of the regulation, and to be in a position to prove it, without the DPO being personally liable in case of non-compliance with the GDPR.
[1] https://www.aepd.es/es/prensa-y-comunicacion/notas-de-prensa/aepd-participa-accion-europea-coordinada-para-analizar-designacion-y-situacion-de-dpds
Article written by:
Elena Sánchez
Abogada especialista en Privacidad, Propiedad Intelectual y Contratación tecnológica.
About Metricson
With offices in Barcelona, Madrid, Valencia and Seville and a significant international presence, Metricson is a pioneering firm in legal services for innovative and technology companies. Since its inception in 2009, it has advised more than 1,400 clients from 15 different countries, including startups, investors, large corporations, universities, institutions and governments.
If you would like to contact us, please do not hesitate to write to us at contacto@metricson.com. We look forward to talking to you!