Data Protection Officer: do I need it?
Almost 7 years have passed since I spoke on this blog about the need (or not) for a Data Protection Officer (DPO). Many things have happened since January 2015, and beyond defining the cases in which a DPO is legally required, I want to focus on the day to day of your Officer, if you have appointed one or are thinking of doing so.
What does the law say?
Both the GDPR and the LOPD provide for specific cases in which a DPO must be appointed. If your company or activity is included in these cases, end of discussion, you really need a DPO.
Articles 37.1 of the GDPR and 34 of the LOPD, respectively, define these assumptions: I want to pause here to discuss the effective role of the DPO in your company beyond completing the procedure. It should be noted, however, that the DPO can be appointed on a voluntary basis, outside the cases marked by law and that, in fact, this circumstance can be taken into account as a mitigating factor in the event of penalty proceedings.
What do you need to know if you appoint a Data Protection Officer?
- His or her appointment must be formally communicated to the AEPD.
- Although not mandatory, you should have some type of data protection certificate.
What are the tasks of a DPO?
Both the RGPD and the LOPD extensively define the duties of the Data Protection Officer. However, I would like to discuss what the regulations do not say and what, in my opinion, would be the characteristics of a good DPO for your company:
- Communicating his or her appointment to third parties
The appointment of a DPO to remain solely in the managerial field and deal with communications with the AEPD is a very far cry from what a DPO should be. All too often, companies appoint a DPO as a merely administrative role and the person who performs these duties is not known by those who really should be aware of his or her existence.
Therefore, when you have a DPO, whether he or she is external or internal, everyone in your organisation needs to know about his or her existence and duties and, most importantly, they must know when to contact him or her before starting with certain data processing. For this to happen, all company staff must be aware that a DPO has been appointed.
Do not forget that one of the duties of the DPO is to intervene in the event of conflicts between the data holders and the company processing them and, therefore, customers and other data subjects must be aware that this position exists in your company.
- Integrating the DPO into relevant decisions
It is impossible for a DPO to know that a company has processed the data in a certain way when this has already been completed. This would prevent the DPO from doing one of his or her main jobs, which is none other than to ensure the principle of Privacy from Design.
When thinking of a new email marketing campaign, when hiring a new provider with data access or when installing cameras, the DPO should be aware of these facts before they occur in order to give his or her opinion. His or her opinion must be heard and taken into account when making a decision, which of course will be up to the company.
In conclusion, having a DPO is neither insurance in case of non-compliance with the GDPR or the LOPD nor can he or she fulfil a simple administrative procedure to deal with the file in relation to the AEPD. A good DPO must be integrated into the every-day life of the company and be “present” when relevant data protection issues are decided upon.
If you want to know more about this or any other topic, do not hesitate to contact us!
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.