In the context of the proactivity that GDPR establishes for the companies, this is where the figure of the data protection officer (DPO) gains importance. He or she is the person that is in charge of informing and advising, as well as monitoring the compliance with the aforementioned GDPR by the controller or processor.
As the regulation indicates, the DPO is not personally responsible in case of non-compliance with the GDPR. The regulation specifies that the figure that is obliged to ensure the compliance with the GDPR is the controller or, failing this, the processor. The function of the DPO is monitoring that the compliance is achieved correctly, but this does not mean that he or she is responsible in any case of non-compliance:
“The controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary” Article 24, section 1.
If the controller or processor make decisions that are incompatible with the GDPR and the DPO’s advice, the DPO has the possibility to express his or her discrepancies to the highest level of management and decision-makers.
Does the DPO have to do the risk analysis?
The GDPR establishes that “The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing” (Article 39, section 2). It is not the DPO’s function to perform risk analysis, since the function depends on the controller or the processor, but the DPO must help and advise the controller about what methodology to use when performing a risk analysis or an impact assessment related to data protection, which areas need to be object to an internal or external data protection audit, what internal training activities to provide to personnel or managers in charge of data protection and to which processing operations to dedicate more time and resources.
What is the role of the officer in performing the impact assessment?
The controller is the one who has the obligation to perform, when necessary, an impact assessment of the data processing operations.
However, the data protection officer (DPO) can play a very important and useful role in helping the controller. Following the principle of the data protection from the design, Article 35, section 2 specifically states that “The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.” In turn, Article 39, section 1, letter c) establishes an obligation for the DPO “to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35”.
It is recommended that the controller seeks advice of the DPO regarding the following questions, for example:
- Whether or not to perform the impact assessment related to data protection.
- The methodology must be followed when performing an impact assessment.
- Whether the impact assessment should be performed within the organization itself or externally.
- What safeguards (including technical and organizational measures) should be applied to mitigate any risk to the rights and interests of the stakeholders.
What role does the DPO play in the maintenance of the Records of Processing Activities?
In accordance with the Article 30, sections 1 and 2 of GDPR, it is the controller or the processor, and not the Data Protection Officer (DPO), who is obliged to keep “a record of processing activities under its responsibility” or to maintain “a record of all categories of processing activities carried out on behalf of a controller”.
In practice, it may become common that the DPOs develop inventories and maintain a record of processing operations based on information provided by various departments responsible for data processing in their organization.
Therefore, nothing prevents the controller or the processor from assigning the task of maintaining a record of processing operations to the DPO under the responsibility of the controller or processor. The said record, as an effective accountability measure, should be considered as one of the tools that allows the DPO to perform his or her functions of monitoring the observance of the norms, information and advice to controller or the processor.
In short, the obligation to perform and comply with the aspects established in the GDPR does not fall on the DPO, but on the controller and/or processor. However, the DPO should advise and support the execution of different measures taken by the company to ensure effective compliance with the regulation.