The Data Protection Officer (DPO) who is an exceptionally solicitous partner and genuinely loves the Great Dame who Protects and Reassures (GDPR) or General Data Protection Regulation, is the main character of our digital stories from May 2018. To ensure that the love stories are fun and romantic and not intense or horrific, we would first get to know this character better.
At the crossroads of new (and old) responsibilities of the Data Controllers (DC) and their Data Processors (DP), National and European Supervisory Authorities (SP’s) and Data Subjects (DS), the DPO controls the data circulation around the latter … and his life is sometimes Rock’ n Roll (as the address of the Luxembourg National Commission for Data Protection – NCDP).
As part of the obligation to ensure compliance with the GDPR, a DPO may in particular:
1) collect information to identify data treatment activities
2) analyze and verify the compliance of processing activities with the GDPR
3) inform, advise or make recommendations to the controller or the processor
It seemed practical to us to introduce this Saturday, a series of articles about this man or this woman, fascinating and multi-talented… also unavoidably applying irony, self-mockery and relativity as safeguarding personal data is not the main concern of entrepreneurs, managers and executives of our firms.
Belgian companies badly prepared: They do not even know the subject
A survey conducted by the antivirus specialist Kaspersky Lab, showed that 16 percent of Belgian companies have never heard of the RGPD, and 32 percent have heard about it but didn’t know what it meant, 8 months from its entry in force.
A third of IT professionals in Belgium doubt that their company will be able to completely comply with the regulation in May 2018, whilst this percentage is only 19% in the Netherlands (Read La Libre Company of October 21, 2017).
The situation is identical in France and in most of the 28 member countries of the European Union (only 31 percent of companies think they will be ready in time – 46 percent have no idea and 23 percent think that this is unattainable).
Obligation to appoint a DPO
The controller and the processor shall appoint a data protection officer in any case where:
(a) the processing is done by a public authority or body, with the exception of courts acting in their judicial capacity;
(b) the main activities of the controller or the processor entails processing operations which, based on their nature, their scope and/or their purposes, require consistent and methodical monitoring of data subjects on a large scale; or
(c) the main activities of the controller or the processor involve processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to felonious convictions and violations referred to in Article 10.
For our French friends, the “Délégué à la Protection des Données” (DPD in French, DPO in English) replaces the Correspondent for the Protection of Personal Data “Correspondent Informatique et Libertés” who made certain the respect of the requirements provided for by the law of 6 January 1978.
Personal data protection professionals are currently referred to as Beauftagter für Datenschutz in Germany, Personuppgiftsombude in Sweden, Functionaris voor de gegevensbescherming in the Netherlands, Personas datu aizsardzības speciālista in Lituania, Isikuandmete kaitse eest vastutav isik in Estonia, Chargé de la protection des données in Luxembourg, Préposé à la protection des données in Belgium, Datenschutzberater/responsabile della protezione dei dati in Switzerland, Rapprezentant ta’data personali in Malta, Belső adatvédelmi fele lős in Hungary, Dohľad nad ochranou osobných údajov in Slovaquia et Responsable de seguridad in Spain (Comparative analysis of Data Protection Officers [archive], CEDPO, 2012).
The standard for the requirement to appoint a data protection officer is not based on the size of the enterprise, but rather on the risks involved, especially the type of business activity (mostly or incidentally committed to data processing) and the significance of data processing (category of data processed, type of processing and number of people whose data are processed) .
Voluntary designation of an internal, external or shared DPO
Aside from these requirements, the appointment of an internal (employed), external (“ad interim”) or shared (“pooled”) data protection chief is always doable and endorsed by the national supervisory authorities.
The Regulation offers that data controllers and processors may opt for a shared or external data protection officer.
The officer becomes the true “conductor” of data protection compliance within his organization. Her mission is to:
1) inform and advise the controller or processor, as well as its employees
The officer is in charge of executing compliance with the European Data Protection Regulation within the organization that employed him for all the actions carried out by this entity.
A Data Protection manager, internal or external, may be appointed for several establishments under certain conditions to guarantee its usefulness.
Organizing the recruitment and the function of the DPO
To ensure the effectiveness of his missions, the officer:
1) must have professional competencies and specific knowledge
2) must benefit from material and organizational means, resources and an appropriate status to carry out its missions.
The formation of the Data Protection Officer function needs to be expected and planned today to be ready by May 2018.
In France, the data protection officer is the natural replacement of the CIL (“Correspondent Informatique et Libertés“). Their statutes are alike especially in terms of independence and necessary skills. The same goes for the Grand Duchy of Luxembourg for the “Chargé de la Protection des Données” (CPD) et en Belgique pours le “Préposé à la Protection des Données” (PPD).
However, the Regulation lays down the requirements for the agent with respect to his credentials (professional credentials, specialized knowledge of data protection law and practices) and his continuing education (maintenance of his specialized knowledge).
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39
(Article 37.5 of the European Regulation).
Its entitlements and duties are strengthened, mainly with regard to its advising responsibility and its responsibility of raising awareness on the new obligations of the Regulation (specifically in terms of advice and, where applicable, verification of the application of the Data Protection Impact Assessments).
Additionally, enterprises (Controllers & Processors) must afford their officer with essential resources for their tasks (precisely, to associate them properly and in a well-timedapproach with all data protection issues, to give them entree to the data or to permit them to always train).
Lastly, unlike the previous national data protection officers whose designation is non-compulsory, the appointment of the officer is compulsory in a number of cases.
The GDPR provides that the data protection officer is appointed on the basis of his / her professional qualities and, in particular, his / her specialized knowledge of data protection law and practices as well as his or her ability to carry out the tasks referred to in Article 39 of the GDPR.
It should thus be measured on a case-by-case basis whether the person selected as data protection officer essentially meets the requirements of the GDPR. This is an analysis that must be done internally by the controller or subcontractor who intends to appoint a delegate.
A beautiful mind
The person who is intended to become a data protection officer must be able to combine the following qualities and skills:
the ability to communicate effectually and to execute one’s duties and job autonomously. The officer must not have a ‘conflict of interest’ with his other jobs inside the company. This means that he cannot participate in tasks within the company that lead him to determine the purposes and means of a processing (don’t be “judge and party”)
proficiency in the field of data protection legislation and practices, attained specifically through continuous training. The level of proficiency must be adjusted to the activity of the company and the sensitivity of the actions executed
A sound knowledge of the company’s business division and organization, and precisely the processing setups, information systems and the company’s data protection and security needs
An internal and effectual positioning to be able to report directly to the topmost officers of the corporation (directors) and to also lead a relay network within the subsidiaries of a group for example and/or a team of internal experts (IT expert, lawyer, communication expert, translator, etc.).
There is hence, no standard profile of the agent who may be a person from the technical, legal or other fields. A study conducted for the CNIL in 2015 revealed that CILs come from a wide range of expertise (47% IT profile, 19% legal profile and 10% administrative profile).
Since 28,000 is the projected number of DPOs needed to guarantee compliance with the Regulations, how not perceive this commitment or choice that organizations make to employ a DPO as an exceptional opportunity for our professional lives? And those of our children and grandchildren and …
 Collective. European Data Protection Regulation: The European Data Protection Regulation implemented on April 27, 2016, devotes new concepts and imposes … Advanced & Right) (French Edition) (Kindle Locations 10461-10465). Larcier editions. Kindle Edition.
By Christophe Boeraeve
International Tax and Corporate Lawyer
IAPP’s Certified Information Privacy Professional Europe (CIPP/ E )
EU Expert for the Fast Track to Innovation Action
Partner | Lawyer Law-right