If you’ve come across some humans since May 25th, 2018, you probably know that the General Regulation on Data Protection (GDPR) came into force and caused a wave of panic for some companies.
If you just found out about the existence of the GDPR in this introduction, welcome among us!
Anyway, this regulation shook up the organization of some companies about how they collect and process personal data. At this point of the article, if you still don’t know what I’m talking about, dive (back) into one of our old content to know what the GDPR is all about.
So, before this (slight) digression, I wanted to say that the regulation gave rise to the emergence of a new actor: the Data Protection Officer. We briefly explained his role in a tiny paragraph of a previous article, but without going into details. I think you see me coming: this article will be about the Data Protection Officer.
If this article’s topic doesn’t make your spidey senses tingle (at least, I hope so), you cannot get away from this rite of passage. The Data Protection Officer plays an essential part in the GDPR compliance.
Let’s start with the beginning
If you want to enrich your personal culture with useless information, remember that the expression “Data Protection Officer” is mentioned precisely 27 times throughout the GDPR. The legislator never considered useful to define that notion in article 4. Maybe it was a deliberate choice to not restrain the DPO‘s job within the company?
Oh, I forgot to tell you: “Data Protection Officer” is usually shortened as… DPO.
Anyway, the Data Protection Officer takes the companies by the hand (supposing that they have one) to guide them into their GDPR compliance. He provides some advice and shares his infinite wisdom so you can welcome the supervisory authority with tea and cookies if you’re being controlled.
What are exactly the DPO’s job and missions?
The Data Protection Officer works in collaboration with the controller and the processor to answer any of their questions, give some advice or provide guidance on the steps to follow into their compliance.
Each company is different and doesn’t necessarily have the same needs. Consequently, the DPO‘s job and missions are different for every one of them. Nonetheless, the GDPR mentions some of the DPO’s missions in a list which is far from being complete:
- The DPO informs and advises any person processing data in accordance with the GDPR;
- He monitors compliance of the GDPR by companies;
- He gives advice if you need to carry out an impact assessment and monitors its performance;
- He grants the persons’ requests (you know, the right to be forgotten, to erasure, etc…);
- He acts as an intermediary between the company and the supervisory authority, especially if the latter were to blow into town…
These missions don’t seem like a big thing, but actually, it’s an huge amount of work if you start from scratch! The Data Protection Officer can spend weeks – or even months – to map all the data, prioritize the risks and implement technical and organizational measures. And yet, all these stages are purely theoretical. The effective implementation of the measures and the processing can take years.
Now that I put you down in the dumps, let’s move along with the rest of this article. Take a tissue, dry your tears, and hold on!
When is a DPO mandatory?
You want some good news to stop your crocodile tears? Designating a Data Protection Officer is only mandatory in some cases:
- If you work for a public authority or structure. Whether you’re local or regional government, a hospital, or basically anything public, you must designate a DPO. Only the judiciary branch was spared by this obligation, for unknown reasons (if you like conspiracy theories, go at it!).
- If the data collected require a regular and systematic monitoring of the persons on a large scale. To make it simple, if you handle many personal data, it’s highly likely that you need a DPO;
- If you process data on a large scale relating to:
- Racial or ethnic original
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- A person’s sex life or sexual orientation
At this point, you should have lost interest in this article. Whether the conditions above apply to you and you’re having a breakdown, or they don’t apply to you and you read this part for nothing.
Now that I have your attention again (at least, I hope so), I have semi good news that should comfort those of you who must to designate a DPO…
A Data Protection Officer is only mandatory in three cases, but the conditions are so wide that they apply to many companies. For instance, if you process a lot of personal data within the scope of your professional activity, there are great chances that you must designate a DPO.
The conditions stated by the GDPR are so general that it’s impossible to make a list of all the companies which must designate a DPO. Everything will be left to the discretion of the supervisory authority, which will punish you if you thought you weren’t subject to that obligation. Consequently, that subjectivity could play tricks on you.
The supervisory authorities realized that some wordings of the GDPR were very blurry. That’s why they highly recommend that you resort to a DPO. Thanks to the latter’s expertise in the field of the GDPR, he could give you some relevant advice and guide you into compliance.
Can I designate my controller as a DPO?
Because of a poor communication and a lack of awareness-raising actions, some companies didn’t grasp the importance and the difficulty of the GDPR. Some of them designated their controller as a Data Protection Officer. Per se, it’s not forbidden… but it’s a bad idea.
Unless your controllers underwent a specific legal training about the enforcement and the interpretation of the GDPR, they’re not necessarily suited to comply your company with the regulation.
Generally, a controller doesn’t have a great expertise in the GDPR. Therefore, that person is likely to make mistakes during compliance, which will probably lead to a penalty if you’re being controlled.
To avoid some setbacks, it’s highly recommended that you turn to a professional of data protection to ensure your compliance.
Right now, you’re probably thinking: “How can I find the DPO who will put me on the compliance track?”. Be patient, dear reader, good things come to those who wait…
What’s the DPO’s ideal profile?
Many companies fall into the trap of considering the GDPR as a computer law, probably because it was “sold” to them as such. Ipso facto, some structures published ads to find an IT engineer who can make their company compliant.
To be honest, hiring a regular IT engineer is a big mistake, dear readers! Have you ever tried to read the Data Protection Regulation? This indigestible text, with no colors, no pictures, 88 pages long written in font size 10? Only a jurist has the capacity to read, understand and interpret all the articles stated by the regulation.
If you don’t believe me, the ICO said it! On its page to find the perfect DPO, the authority says that the officer must be designated for his “experience and expert knowledge of data protection law”.
Consequently, companies who choose a DPO specialized in IT engineering make a very questionable choice. Indeed, the Data Protection Officer barely uses his IT skills, while jurists constantly use their expertise by referring to the regulation.
If you’re still not convinced by what I’m saying, let’s take a concrete example… Finding the ideal DPO is like a quest for your soulmate. Unless you have self-destructive tendencies (it happens), you’ll instinctively choose the best and most qualified person… not the first IT scientist who crosses your path. Therefore, choose a DPO who meets all the supervisory authority’s requirements to ensure compliance in the best conditions possible. Once you found your ideal DPO, you’ll soak up the good life!
By the way, other people have given thought to that DPO/soulmate metaphor way before I did. There are websites designed just like a dating site… to find the DPO of your dreams! Pictures, age, catchphrase, references… everything to make you feel like you found the love of your life.
Anyway, choose a Data Protection Officer who has strong legal knowledge. Some law schools even started teaching digital law. These “cyber jurists” know the GDPR like the back of their hands, so they’re totally up to the challenge!
I cannot afford to hire a full-time DPO!
Fear not, dear readers! If you cannot afford to hire a full-time DPO, it may be a good thing. Indeed, the supervisory authority recommends using the services of an external DPO to ensure compliance with the GDPR. This solution has many advantages:
- The DPO is not subject to a hierarchal link. He can take any necessary measure regarding your GDPR compliance, without being influenced by anyone;
- The DPO only assists you when you need him;
- You company makes substantial savings by occasionally turning to an external DPO;
- Since the DPO provides a service, his customers’ satisfaction is essential. Therefore, he’ll do everything he can to provide the best advice possible in order to ensure a perfect compliance!
In short, thanks to an external DPO, everybody wins!
How can I find my DPO?
Piece of advice: no need to go through the Yellow Pages and look up “Data Protection Officer”. Best case scenario, you’ll find a good “data analyst”; and worst-case scenario, a decent “dog therapist”.
So, what can you do? You can scope out the internet, but it’ll take you a lot of time. Or you can directly call on Ziwit Consultancy Services to know the steps to ensure your compliance. We’ll take care of designating the ideal DPO for you!