A DPO can be performed by an internal/external individual or a team, but the main contact must be an individual who should be in a senior role; a DPO must have operational independence, functioning as a “conductor” for the organisation’s data processing. The DPO’s location is not material, and a DPO need not be a lawyer if he/she has access to legal skills or expertise, but required skills include interpersonal/communication, organisational/privacy programme management, leadership, data privacy strategy, business/technology, and external engagement.
1) Executive Summary
The function of the data protection officer or chief privacy officer is an essential component of data
privacy accountability, playing a crucial role in enabling organisations to ensure and demonstrate both
data privacy compliance and effective privacy protection of individuals. In recognition of its crucial status
within organisations, this function is formally recognised and described in detail in the General Data
Protection Regulation (GDPR) in the role of a formal “data protection officer” (DPO).
This CIPL paper on “Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under
the General Data Protection Regulation” examines the requirements for the appointment of a DPO and
the nature, function and scope of the DPO role under the GDPR. The GDPR outlines key parameters and
requirements for the DPO role, underscoring its significance in a wider data privacy accountability
context. However, there are some areas that may present challenges for organisations, or require
clarification, interpretation and guidance to ensure an effective implementation of the DPO role. This
paper examines these areas and makes suggestions regarding implementation and interpretation as well
as further guidance by the WP29. An overarching goal of the recommendations in this paper is to
encourage a flexible interpretation of the DPO requirements to make them work for large multinational
organisations, as well as SMEs, start-ups, NGOs and public authorities.
With respect to the prerequisite criteria of “systematic”, “regular” and “large scale” for the mandatory
appointment of a DPO, organisations will require a clear and concrete understanding of these terms in
order to meet their obligations under the GDPR. CIPL takes the view that companies should benefit from
flexibility in determining whether their processing operations fall within the ambit of the “systematicregular-large-scale” criteria, using their best judgement and taking into account the entirety of their business operations. Organisations should also be able to identify and demonstrate their decisionmaking processes on this matter in the event of an inquiry or enforcement action by an EU DPA. Thus, in addition to recognising the need for context-specific flexibility regarding the interpretation of these criteria, any WP29 guidance might, in addition, focus on a set of factors to consider when determining whether processing operations fall within the “systematic-regular-large-scale” criteria.
The appointment of a voluntary DPO is another key area requiring clarification and guidance. Organisations that do not meet the criteria of a mandatory DPO appointment are under no obligation to appoint a DPO. CIPL believes that in order to discharge their general obligations under GDPR, including implementing accountable and effective data privacy compliance programmes, organisations will have to allocate responsibility for data privacy and GDPR compliance to one or more dedicated employees who may or may not carry the DPO title. Thus, organisations should be encouraged to appoint DPOs or employees with an equivalent role. However, if they give such “voluntary” DPOs the “DPO” title, then that DPO must comply with the full range of GDPR DPO requirements. If an organisation that is not required to appoint a DPO desires to appoint someone in a similar role or function anyway without assuming the full range of GDPR obligations, that person should be given a different title to avoid confusion.
The DPO role may encompass strategic and governance functions in addition to a compliance function. This is reflected in the role’s evolution from a side-bar function within legal or compliance departments to its currently more strategic position at the executive level. Currently, the appointment of DPOs and CPOs by a growing number of organisations has already created a body of “best practices” for the DPO role. These should be taken into account when implementing the DPO role under the GDPR.
The GDPR does not specify the required “professional qualities” and “expert knowledge of data protection law and practices” of the DPO. CIPL recommends that the appointment of DPOs should be based on the specific requirements and needs of an organisation in terms of the skills and qualities required to fulfill the role of the DPO.
The DPO guidance should clearly establish that while there must be one responsible “lead” DPO, the DPO role generally can be performed by a DPO office or a DPO team. This would include the internal and external staff and advisors to assist the DPO in discharging all applicable DPO responsibilities. While the DPO role encompasses legal knowledge and experience for its advisory tasks, it also includes other areas of expertise and skill sets beyond the data privacy or legal areas, as specified in this paper.
A striking feature of the DPO GDPR provisions is the requirement for the DPO to report directly to the “highest management level”. This requires interpretation by the WP29. CIPL believes the reporting lines for a DPO should be true and effective reporting lines, mapping a DPO’s report to the appropriate management level where significant strategic influence and authority is held with respect to the DPO’s tasks. Overall, given the required range of skills and expertise, the diversity of tasks, the strategic role and the access requirements to top management, the DPO position should be a senior position within the organisation. In addition, it should not matter where in the world the DPO is located, so long as there is effective implementation of the DPO requirements, including those relating to internal reporting and accessibility for individuals, employees and DPAs.
Further, the DPO duties of “secrecy or confidentially” as detailed under Article 38(5) could potentially create a conflict for a DPO, who is expected to discharge his or her duties to an organisation in a cooperative, inclusive and transparent manner. We recommend a broad interpretation of this provision to create a workable and sensible solution as to the types of information that should be kept confidential by a DPO vis-à-vis the company.
The issue of “conflict of interests” (see Article 38(6)) also requires clarification. While the provision does not prevent a DPO from fulfilling other non-DPO duties, an employer does have a duty to ensure that the DPO and non-DPO duties do not conflict. We believe a wide interpretation should be taken of the roles and duties that are compatible with the DPO function. Industry experience demonstrates that chief privacy officers successfully combine their roles with other roles, such as information governance officer and chief data strategist. It is the very essence of a successful DPO to have a wide-ranging and diverse skill set and to perform multiple interdependent functions within an organisation, including compliance, business strategy and governance functions.
Under the GDPR, DPOs will have an obligation to “consult” and “co-operate” with EU DPAs where appropriate on relevant data protection matters. It is important that this requirement is not interpreted as requiring DPOs to perform a type of whistleblower role, formally reporting non-compliances and issues within the organisation to the DPAs. The DPO must remain a trusted business advisor within the organisation and a trusted organisational contact point for the relevant DPA who will continue to engage in an ongoing dialogue and informal consultations with DPAs.
The development of future WP29 guidance on the DPO will provide a vital opportunity to clarify and expand on the important role of the DPO so that the role can be discharged effectively. Such guidance should preserve the maximum flexibility for organisations to implement the DPO role as appropriate within their contexts and circumstances. This becomes particularly important for SMEs, non-profits, NGOs and universities that may have extensive processing operations but limited resources.