29 May 2018
The GDPR imposes a new obligation on some companies and their subcontractors: to appoint a Data Protection Officer, who must be involved in any issues around using and protecting personal data.
The organisations concerned are:
– All public authorities, except for courts acting in their judicial capacity, whatever type of data processing operations are carried out
– Organisations whose core activities consist of processing operations which require “regular and systematic” monitoring of data subjects on a large scale
– Organisations whose core activities consist of the large-scale processing of personal data regarded as sensitive (such as genetic or biometric data, data relating to health, religion, political opinions or union trade union membership, etc.) or data relating to criminal convictions and/or offences.
The G29, which brings together all European data protection authorities and will be replaced, in 2018, by the European Data Protection Supervisor, has described in various publications the concepts of “regular and systematic monitoring” and “large-scale”. It also advises any organisation which does not meet these criteria to voluntarily appoint a DPO.
Video to translate: https://www.youtube.com/watch?v=Fa3dGOheAGA
Further reading: 80,000 DPO jobs created in France in 2018 (in French)
The Role of the DPO
The DPO is, according to the recommendations of the GDPR/RGPD, an orchestrator of all tasks relating to the use, management and protection of personal data. Their tasks will include informing and advising data controllers and potentially their subcontractors, as well as all company staff. In France, they succeed the “Correspondant Informatique et Liberté” (IT and civil liberties coordinator) and have a similar status. But their roles and prerogatives are bolstered, in particular, their advisory and checking duties.
As the guardian of compliance (and required to attend regular training and briefing sessions on regulatory changes), the DPO’s role is to identify all the company’s personal data processing operations and assess their privacy implications, working with the general management. Bound by a duty of confidentiality, they will be asked by the data controller to evaluate the need for an impact assessment, choose the most appropriate methodology and develop the guarantees to be applied to prevent damage to data subjects’ privacy.
The data controller or subcontractor remains responsible for the compliance of the processing operation. The G29 stresses the importance of documenting the whole processing operation for traceability purposes. The data controller must, therefore, justify why they did not follow the DPO’s advice.
Lastly, any activity that may have consequences for personal data protection must be the subject of a privacy impact assessment. The company must also adopt measures to mitigate any consequences of damage to the protection of personal data caused by the activity. The DPO is required to consult the supervisory authority before the activity begins.