This article has been written by Shobhit Kapoor pursuing a course on How to Use AI to Grow Your Legal Practice from LawSikho.

This article has been edited and published by Shashwat Kaushik.

Introduction

A Data Protection Officer (DPO) can be thought of as a watchdog who can guard the interests of data subjects and also enable compliance for organisations, which could be a data controller or a data processor. He also forms a bridge between these organisations and the supervising authority. In other words, he ensures the duties and obligations of data controllers and data processors are intact and in compliance with GDPR and also that the rights and freedoms of data subjects are protected as per GDPR. Further, the DPO works to smooth the process to be followed in times of data breaches. Additionally, he will need to train the employees of DC/DP as well as the highest management of the organisation on GDPR. A DPO, in his day to day duties, oversees compliance with GDPR for new projects in order to ensure that the new services/products are seamlessly aligned with the data protection principles laid down by the applicable laws. It is noteworthy that the DPO in data Controller/Processor organisations, which do not need to conform to GDPR, will need to align with the applicable law of the land or region, as the case may be.

Download Now

The DPO-GDPR connection

A Data Protection Officer (DPO) is a specific role outlined in GDPR. He guards the interests and rights of the data subject (DS) and ensures the fulfilment of the obligations of data controllers (DC) and data processors (DP).

Articles 37, 38, and 39 are key to the role of a DPO.

Article 37 of GDPR lays down the need for appointing a DPO by some companies. This article clearly states that both the DC and DP shall designate a DPO under the following scenarios: 

  1. the processing is done by a public authority or body, EXCEPT for courts acting in their judicial capacity 
  2. the core activities of the DC or DP consist of processing operations for large scale systematic monitoring of DS owing to their nature/scope and/or purposes 
  3. the core activities of the DC or DP are those of large scale processing of special categories of data pursuant to Article 9 OR personal data relating to criminal convictions and offences referred to in Article 10

There can be a single DPO for a cluster of undertakings but with the condition that the DPO can be conveniently accessed from each such undertaking and the DS of the undertakings. Such an undertaking could also be a public authority or body. The DPO can be an employee of a DC or DP, or on a service contract and the DC or DP shall need to publish and socialise the contact details of the DPO and communicate them to the supervisory authority. The appointing of a DPO on a contract basis is, as per me, the most suitable approach, keeping in mind the fact that the DPO, if he is an employee of DC or DP, could run into the risk of safeguarding the organisation’s interests even at the expense of compliance with GDPR and the rights of the DS. 

GDPR Article 38 outlines the DPO position by stating: “The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data”. The DPO is not bound to receive any instructions regarding the exercise of these tasks (listed in Article 39) and shall not be dismissed or penalised by the DC or DP for performing his tasks. DPO shall directly report to the highest management level of the DC or DP, as the case may be. This means a DPO can be seen as accountable to the supervisory authority and the CEO/CIO/CTO

For all the issues and challenges of processing of personal data and to exercise their rights under GDPR, the Data Subjects may contact the DPO. Hence, the DC or DP shall need to publish and socialise the contact details of the DPO and communicate them to the supervisory authority as well as to the DS. The DPO is bound by secrecy or confidentiality with respect to his tasks, in accordance with Union or Member State law. He can, however, fulfil other tasks and duties, provided such tasks do not pose a  conflict of interest.

Qualifications of a DPO

At the moment, there is no single answer to this. We do not have any documented qualification requirements for the role of a DPO. It is widely believed and declared in various forums that a DPO does not need to know the technology of the controller and processor. Nor does he need to be a lawyer. 

However, I beg to differ. In my opinion, the best suited person for the role must have at least some knowledge of how the data (from the DS) is being captured and for what purposes. Of course, he does not need to get into the code to see how a particular data set is being handled. But the fact that a certain set of data is being captured is something that the DPO must know in order to succeed in his role. 

I would also go a step further to say that a successful DPO must either be a technology lawyer or have sufficient knowledge of technology laws and regulations of the geography he operates in. Such knowledge has its own merits and the DPO is able to think from various angles, exercise his powers and conduct his role much more effectively. 

For the sake of certification, a CIPPE certification lends a lot of credibility.

Responsibilities of a DPO

Article 39 lays down the tasks of a DPO that are to be fulfilled and hence the DPO needs to be chosen on the basis of professional prowess and particularly knowledge of data protection laws. 

A DPO guides and advises the DC/DP/employees of the organisation in processing of their obligations pursuant to GDPR and other Union or Member State data protection provisions. Monitoring compliance with GDPR or other Union/Member State data protection provisions and also with the policies of the DC or DP related to personal data protection. He can assign responsibilities, direct the awareness training for staff involved in processing operations. He also assists in audits. 

DPO supervises and provides advice on Data Protection Impact Assessment pursuant to Article 35.

DPO shall act as a cooperative single point of contact for the supervisory authority on matters of processing, prior consultation as provided in Article 36

So far, the above description has been according to what the GDPR mandates or allows. However, a bit of a detailed dive-into the tasks of a DPO based on experience could be as follows:

Research on local and international laws

DPO needs to keep an eye on changing local as well as international laws around data protection and data privacy. Doing this will enable him to ensure compliance and perform a health check by way of internal audits. 

Engage with legal department

Legal regulations can be very complex at times. Interpretation of the intertwined provisions and making meaning out of it in a collective manner might be a gruelling task and even if accomplished, one may not be sure footed. Especially when amendments happen or a new statute repeals another one, this could be a challenging task for the DPO. Therefore, it is much needed that the DPO has an open thread of communication with the legal department of the organisation of the DC or DP, as the case may be. 

Perform DPIA

Each time a new product or a new service is designed by the DC or DP organisation, there is a need to assess the data collection and processing as against the GDPR principles. This involves consultations with the IT team (development team), R&D team, legal team, IT infrastructure team and operations team. For example, when the organisation intends to collect additional customer/user data through a campaign, the DPO, along with the others mentioned above, needs to deliberate on the additional attributes of customer/user data that will be needed to be collected and ensure that they are mapped to the legitimate business purpose(s), as well as ensure that a proper consent mechanism is in place for the DS to provide their ascent. Other principles of GDPR, such as data minimisation, purpose limitation, etc., need to be looked at to ensure compliance.  

Such an exercise is neither a one day task nor is it a one-man show. It is the DPO who puts all the stakeholders in a room and triggers a discussion on all these aspects. The sole aim is to stay compliant, protect personal data and DS rights and at the same time let the organisation further its business plans for the campaign. This DPIA is described in Article 35 of the GDPR. 

Policy, procedures, compliance

The DPO would be responsible for overseeing and even drafting and publishing a policy around data protection, which includes data collection, processing, transfer, etc. 

The business process of the organisation that needs such personal data must be mapped to legitimate purposes. Further, the data attributes of the DS being so collected and processed need to be mapped to the above business processes. This exercise enables the traceability of legitimate purposes to the business process as well as the data elements of the DS being captured. With the help of this mapping, it can be easily inferred what data element, e.g., name, address, ID, etc., is being collected for a particular legitimate purpose. The policy could state that this mapping is an essential exercise to be done each time a new product/service is being designed or an existing product/service is being updated. 

The same policy can also lay down the contours of when and how to perform DPIA, DTIA, etc. It shall be compulsory for the design and development teams to consider and include design elements pursuant to this “data protection policy.”

There must also be provision for audits, which need to be followed in the organisation in order to ensure uniformity. 

As the organisation evolves and grows in size, there could be ancillary policies, all having which are played by the DPO. 

Data breach management

Articles 33 and 34 outline the process to be followed in the event of a data breach. 

Once a data breach occurs and comes to the knowledge of the DC, it is advisable that the DPO of the DC organisation must, without any unreasonable delay and within 72 hours after having the knowledge of the breach, inform of the breach. 

An exception to this would be a data breach, which may not pose a risk to the rights and freedoms of natural persons (DS). If the data breach has occurred in the systems of the DP, then the DP needs to inform the DC, who had assigned the processing to the DP.

Liaison with supervising authority

It is a prime expectation of the DPO to be the single point of contact for the supervising authority. The DPO engages with the authority on behalf of the DC or DP at various times, including when there is a data breach. For the engagement between the DPO and the authority to be effective and successful, the former needs to have a sufficient paper trail to substantiate his conversation. In other words, DPO needs to ensure that there is evidence recorded for all the decision making in the organisation (DC or DP) when he gets involved in reporting a data breach to the supervising authority. The evidence could be email and message records which prove – what decision was taken with respect to personal data, why was such a decision taken, what are the risks which were evaluated, whether the supervising authority was taken into account or not, etc. 

Even policy decisions need to be recorded, even if it means preserving the minutes of a meeting where any such decision, having impact on personal data, was taken.

Ensuring fulfilment of DS rights related to personal data

GDPR confers some rights to the DS, who are users of the product/services of DC or DP organisations. Rights such as providing and withdrawing consent to processing personal data, requesting personal data sets, being allowed to update the personal data, etc. are to be safeguarded by the DC or DP organisation. It is the DPO of the organisation who must be the point of contact for the DS. The contact details of the DPO needs to be published by the organisation for the DS to make note of. 

Record keeping

DPO must make sure that the records of processing activities (ROPA) exist at all times. It is an exhaustive list of all the processing activities that are undertaken by the DP on behalf of DC.

Conclusion

The role of a DPO is a very significant one as regards data protection. As we can see from the above paragraphs, a DPO has a multi-pronged personality that strikes a precarious balance between the rights of data subjects and the data controller or data processor organisation that he serves. 

This article on the DPO role is a blend of GDPR mandates and my own opinion and idea about how the DPO role can be extended to bring more value to the organisation as well as to the rights of the data subjects. This is because typically in the IT sector, any employee or contractor in a specific role ends up doing more than what his job description looks like. In such a culture, I have thought it useful to extend the responsibilities of a DPO, as in this article so that the readers, who could even be the ones looking to hire a DPO, are guided in this role. Stay safe and data-safe.

References

LEAVE A REPLY

Please enter your comment!
Please enter your name here