Data Protection & DPOs
An effective Privacy or Data Protection Officer (DPO) is necessary for a successful privacy or data protection programme. Some privacy and data protection laws requires all public authorities and private businesses in certain circumstances formally to designate a DPO. Even in cases where not legally required, it is a good practice to assign to an employee responsibility for overseeing the implementation of the privacy/data protection programme. It does not have to be a standalone position and it is not necessary to give them the formal title. What is advisable is to identify someone with sufficient knowledge of good data protection practices and the operations of the organisation and to ensure that all employees know who they are. Their role is to provide leadership, advice and coordination on developing and implementing policies, procedures and practices that promote good data protection practice within the organisation. This individual will also function as the point of contact for the public or the privacy/data protection regulator to contact with respect to complaints or reports of data breaches.
Communication
The primary function of the DPO is to communicate. They also require a sufficient level of expertise in data protection and knowledge of the organisation. They must assess what the organisation needs to do to ensure compliance with the privacy/data protection laws. They need to communicate that to the executive of the organisation. They should ensure that the organisation implements the direction of the executive and report to executive on the organisation’s progress. They need to help ensure that all employees receive a level of data protection training that is commensurate with the type and sensitivity of the personal data that they work with.
They are also the resident expert on data protection and the point of contact for the outside world. Employees with questions or concerns about the processing of personal data should be able to contact the DPO for advice. When individuals want to make subject access requests or complain about the processing of their personal data, they should have access to contact information about the DPO. They are also the first point of contact for our office in the event we receive a complaint about their organisation or hear about a breach.
Contracting out
Some organisations have chosen to contract with a professional DPO or company that provides DPO services. While this might prove effective for smaller organisations with limited data processing and limited available resources, there are concrete advantages to an in-house DPO. It is important for the DPO to be knowledgeable about the structures, operations and data holdings of the organisation. It is difficult for an external DPO to obtain that knowledge. Moreover, it is critical that the executive and employees of an organisation develop a strong relationship with the DPO based on trust. For a data protection programme to function effectively, the DPO must be privy to confidential information. Executive and employees must be comfortable divulging sensitive information and asking for advice. They need to be able to trust that when the DPO tells them that certain data protection measures are necessary that they truly are necessary. Working together daily helps to foster the right kind of relationship. Executive needs to know that the primary loyalty of the DPO is to the organisation, and an employment relationship best achieves this. The law also stipulates that if an organisation does decide to contract out the DPO function, that they must be confident that the DPO is able to provide them with the support that they need, when they need it. Remember that whilst the role is contracted out data protection responsibilities and obligations stay firmly in-house.
Operational Independence
Some privacy/data protection laws requires that the DPO receive operational independence, but this does not preclude loyalty to the organisation. The DPO must have the necessary expertise and independence to conduct investigations and research regarding data protection issues and to give valid and reliable expert advice to executive and employees. No one must constrain their ability to fulfil those functions. This does not mean, however, that they should have ultimate authority to make all the decisions. It is right and proper that executive make final decisions about issues such as resourcing, changes to practice and the content of public statements relating to data protection. The DPO must be able to give the executive advice as to how the law applies and what the viable options are. The DPO is not to function as a mole on behalf of the Data Protection Authority. The DPO should have a direct line of sight to the Board and they should have the Board’s support. In cases where the Law requires the organisation to notify the Data Protection Authority about a personal data breach, the DPO should advise on the content of the notification but should not communicate without the approval or delegated authority from the executive.
DPO Function
In addition to public authorities, organisations that monitor the behaviour of individuals or process special category data on a large scale must appoint a formal DPO. Other organisations should delegate the responsibilities of a DPO to one of their employees and ensure that they have the training, resources and executive support required to ensure that they can be effective in assisting the organisation to comply with the Data Protection Law. Organisations have discretion to determine how best to implement this function, depending on its resources and the nature and quantity of the personal data that it processes. Delivering an effective data protection programme is in the best interests of everyone.