FAQs on the role of the Data Protection Officer
If you are pursuing privacy compliance, you may need to consider appointing a Data Protection Officer (“DPO”). Although the Act provides for the designation of a DPO in certain instances, it may be worthwhile for all organisations to consider designating one. Who is a Data Protection Officer and what are the benefits of appointing one? We consider common questions associated with the role of the Data Protection Officer.
1. Who is a Data Protection Officer?
Section 24 of the Data Protection Act 2019 creates a new professional role and requirement for organisations to designate a Data Protection Officer. The DPO’s primary responsibility is to spearhead an organisation’s privacy compliance program. In addition, the DPO acts as liaison between the organisation and regulators, key among them being the Data Commissioner.
2. Do all organisations need to appoint a Data Protection Officer?
Section 24 of the Data Protection Act states that data controllers or processors should consider appointing an Data Protection Officer if:
- the controller or processor is a public or private body involved in processing personal data (apart from the judiciary when acting in its judicial capacity);
- the core activities consist of processing operations which, by nature, scope or purposes require systematic monitoring of data subjects; or
- the core activities consist of processing sensitive categories of personal data
A plain reading of section 24(1) implies that all corporate organisations (whether public or private) that process or handle personal data should designate or appoint a Data Protection Officer. Additionally organisations whose core activities consist of systematic monitoring of data subjects or processing of sensitive personal data should also designate or appoint a DPO. The Act does not define the term “systematic monitoring” nor “core activities”. The draft Regulations do not offer any guidance on the matter meaning that the definitions are open interpretation. In the EU, the European Data Protection Board has issued some interpretation guidelines that may be useful. However, unless the courts or legislation clarifies the issue, the matter is still open to debate.
2. What are the DPO’s responsibilities?
A DPO is responsible for spearheading privacy compliance within the organisation. In other words, the role holder is responsible for developing and implementing the privacy strategy. In addition, the DPO is charged with the following responsibilities:-
- advise the organisation on important compliance requirements
- train staff involved in data processing
- advise and make recommendations about the interpretation or application of the data protection rules
- monitor compliance and address potential issues proactively
- advise on data protection impact assessments
- serve as the key contact person with the Data Commissioner and any other regulator in matters relating to data protection
- maintain records of data processing activities
Overall, appointing a DPO helps an organisation to centralise its compliance efforts and create efficiencies.
3. What qualifications should the role holder possess?
The Data Protection Act gives a general guideline on the qualifications of the Data Protection Officer. In particular, it states that the DPO should have the relevant academic or professional qualifications including knowledge and technical skills in matters relating to data protection.
Generally, you need to consider a person that has a good understanding of the data protection law. However, it is not enough to know the letter of the law, the candidate should understand how to comply with the law. In addition to legal and compliance, the person should have a good understanding your industry as well as the organisation’s IT infrastructure, systems, and business operations. Therefore, people with a background in law, information security, internal audit and compliance may fit the bill.
Apart from the technical know-how, the role holder should also have good relationship management and communication skills. This is because the person will be expected to help the organisation navigate through compliance, respond to breaches and communicate with various internal and external stakeholders. They will also be expected to manage the expected cultural and operational changes that will emanate from implementing the privacy program.
Finally, consider a person with good negotiation skills. Often times, you will need to seek external advisors or enlist services of third party vendors. The DPO should be able to negotiate good terms and get value for money.
4. Does the role holder have to be a new hire or can an existing staff fulfil the role?
You may designate an existing staff member as a Data Protection Officer. However, you must ensure that the appointment does not result in a conflict of interest between the DPO’s primary tasks and their existing tasks. For example, if the person’s current role involves determining the means and purposes of processing personal data, they may not be the ideal candidate. Additionally, the proposed role holder must have the capacity to handle the DPO duties in addition to their existing roles i.e. they should be able to manage the demands of the role. If the organisation is too large, you may consider appointing additional data protection specialists to support the DPO.
5. What is the best reporting line for the role?
The Act does not specify where the role should lie within the organisational structure. However, the compliance obligations imposed in the Act imply that an organisation’s operations must be geared towards data privacy compliance. The penalties for non-compliance are very steep and may result in unwarranted business interruption. As a result, you should consider a reporting structure that provides authority and autonomy to the role holder to influence the change required. The reporting line or positioning of the role within the organisation determines how much the organisation values privacy compliance. Consider positioning the role within the highest levels of management. For example, you can consider positioning it within C-Suite with a reporting line to the Board. This way, Board will be fully apprised of risks and make necessary decisions to ensure compliance.
6. Can we outsource the role of the Data Protection Officer?
The Act does not prohibit outsourcing role of DPO. Having an in-house DPO is advantageous in many ways. First, the role holder typically has good understanding of the processes of the organisation. This means makes it easier to tailor the privacy program to the organisation’s specific needs. In addition, an in-house DPO is easily accessible and his information/knowledge remains with the organisation.
However, due to the newness of the role, very few people meet the desired qualifications for the role holder. In addition, it may be costly to designate a new role into the structure.For these reasons and more, you may consider outsourcing the role to an external DPO.
7. Can a group of companies appoint one DPO?
Yes. Section 24 (3) provides that a group of entities may appoint a single data protection officer. However, the appointed DPO must be accessible by each entity. Therefore you need to evaluate the workload and ensure that DPO is capable of handling all data protection issues within the organisation. You can consider appointing data protection specialists as part of a team to support the DPO. These specialists should report to the DPO.
8. Can several public bodies designate one DPO?
Yes. Section 24 (4) provides that where a data controller or a data processor is a public body, a single data protection officer may be designated for several such public bodies, taking into account their organisational structures.
9. Do you I need to communicate the contact details of the Data Protection Officer?
A data controller or data processor must publish the contact details of the DPO in its website. In addition, the details should be communicated to the Data Commissioner who shall in turn ensure that the same information is available of the official website.
10. How can an organisation support its DPO?
The Act does not give any guidance on the nature of support that an organisation should provide to its DPO. However, international best practice is that the organisation should ensure that the DPO is given adequate access to the organisation’s personal data and processing activities. They should also be given adequate resources to perform their role and leeway to perform their duties without fear of losing their job. Staff should be encouraged to support the privacy office by seeking advice as appropriate and involving the office in all data processing activities.Disclaimer: The information on this blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no advocate-client relationship between the reader and the blog publisher. The blog should not be used as a substitute for legal advice from a licensed professional advocate, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation. The information on the blog may be changed without notice and is not guaranteed to be complete, correct or up-to-date. While the blog is revised on a regular basis, it may not reflect the most current legal developments.