The role of the Data Protection Officer (DPO)

Excerpt from Bruno DUMAY's book: GDPR DECRYPTION – For Managers, Strategic Departments and employees of companies and organizations – Preface by Gaëlle MONTEILLER

Along with the Impact Assessment, the Data Protection Officer (DPO) is the second emblematic creation of the GDPR. In France, it logically replaces the Data Protection Officer (CIL), the Data Protection Officer (CPL). It should be noted, however, that the European Union has long recommended the appointment of a DPO in large administrative and economic structures, and that some have followed this recommendation.

The G29 worked on the role of the DPO and adopted some "guidelines" finalized on April 5, 2017. These details help us to outline the contours and contents of this key position.

The designation of a DPO is mandatory for (art 37-1):

– public bodies;

– organizations whose core activities require them to carry out regular and systematic monitoring of individuals on a large scale. The G29 distinguishes between support activities, such as payroll or IT, and core activities, which concern the core business of the organization (health data for a hospital, for example). Similarly, it takes a very broad view of the concept of “regular and systematic monitoring,” which is not limited to the online environment;

– organisations whose core activities lead them to process “sensitive” data or data relating to criminal convictions and offences on a large scale (G29 provides significant elements for determining what is meant by “large scale”).

A group of companies, or a set of public bodies, may appoint a single DPO (art 37-2 and 37-3). Of course, the appointment of a DPO is strongly recommended by the G29, as good practice here again.

The data protection officer is appointed by the data controller, and the processor where applicable, on the basis of his or her professional qualities, “in particular his or her specialist knowledge of data protection law and practices, and his or her ability to carry out his or her duties” (art. 37-5). The more complex the processing operations, the higher the expected skills.

The DPO may be internal or external to the organization, and in the latter case, carry out their mission on the basis of a contract. If the service provider is a team, the tasks of each member must be specified and a team leader designated. The WP29 recommends that the DPO be easily "reachable" and therefore that they be established in the European Union. However, particularly when the controller or the processor are based outside the European Union, it is acceptable for the DPO to be based outside the EU if they can act more effectively that way.

The DPO does not just play a symbolic role. He must be involved, by the data controller and the processor, "in all matters relating to the protection of personal data" (art. 38-1). He can be contacted by any person whose personal data is processed (art. 38-4). He has the "necessary resources" to carry out his duties, he has access to the data and processing operations, and he must even be able to "maintain his specialized knowledge" (art. 38-2). By "necessary resources," the G29 also means support through supervision, sufficient time, material conditions, and training. The DPO is, in a way, sanctified.

All the more so since his independence is guaranteed. He cannot in fact "receive any instructions regarding the exercise of the missions" (art. 38-3). The data controller and the subcontractor have no power over him (they do, however, have the power to appoint him), who is only accountable to the "highest level" of their management. He is also subject to professional secrecy and the obligation of confidentiality (art. 38-5).

Despite their status, the DPO is not liable for non-compliance with the GDPR by the organization that commissioned them. Only the data controller and/or the processor are liable. Criminal liability could only be incurred in the event of complicity in a wilful violation.

The data protection officer may perform other duties and tasks, which must not entail conflicts of interest (art. 38-6). It is therefore impossible for him to perform functions that would lead him to decide on the purposes and means of processing personal data. A DPO can therefore hardly exercise management functions of the organization or work within the department responsible for data management. In 2015, the CNIL conducted a study to determine the profiles of data protection officers; it emerged that there was no typical profile: 47 % had a technical profile, 19 % a legal profile, 10 % an administrative profile. It is likely that, initially at least, this absence of a typical profile will be found among DPOs.

Article 39 of the GDPR lists the delegate's duties:

– inform and advise the controller, the processor and the employees carrying out the processing on their obligations relating to the rules on the processing of personal data;

– monitor compliance with the regulations, but also raise awareness and train staff involved in processing operations;

– provide advice, if requested, on the impact assessment. The WP29 guidelines clearly give the DPO a major role in this assessment. He or she must be consulted on the timeliness, methodology, and content, and then judge its quality;

– cooperate with the supervisory authority and be the point of contact for it. At the time of writing, the CNIL is developing a form for designating the DPO.

It's not in the article, but the G29 adds an additional, and optional, mission to the DPO: "Nothing prevents the controller or the processor from entrusting the DPO with the mission of keeping the register of processing operations carried out under the responsibility of the controller or the processor." Perhaps this is a suggestion to facilitate the flow of information between the different actors?

This would not be useless. Because at the end of the analysis of this function, we say to ourselves that it will not be easy to find, even in a large company, a person who is both competent to play this major role, and free from any responsibility in the processing of data in order to avoid conflicts of interest. It is not easy indeed to be aware of the provisions of a regulation, and especially of their consequences, when one does not have to implement them oneself in the context of one's work.

At this point, the problem statement for naming your DPO is simple, even though it is actually three separate statements:

Appointing it internally, there are multiple obstacles to overcome, such as the social aspect and the renegotiation of the employment contract. Indeed, in this case, it's a safe bet that the scope of this new mission was not known when the contract was initially signed. If we add the notion of risk, the direct and exclusive subordination to the company's governance and no other, it's a substantial modification of the contract, it's therefore a new employment contract. And who will evaluate it internally, control it? And who will do their job, since they can no longer be judge and arbitrator...

Recruit him, and demand soars. The profile is so sought after by major and mid-tier companies that there's a real inflation, due to a shortage. And the problem remains: who will evaluate and monitor him?

Therefore, why not delegate this DPO function to a sworn professional, who could perform their role with a skill and independence that is difficult to reconcile internally? The regulation says nothing about this possibility, and it will be necessary to see in practice whether it is conceivable and envisaged (nothing prevents us from questioning the CNIL on this subject). In any case, it seems interesting to us, a guarantee of a virtuous relationship between the data controller and the data protection officer.

And finally, we can simply decide not to appoint a DPO, because you are simply not strictly obliged to do so.