The GDPR is almost here, May is not far, therefore, organisations are increasingly worrying about being compliant with the data protection Regulation. One of the main topics is the DPO selection.
Should I hire one?
What exactly qualifies to be a DPO?
Should a DPO be a lawyer?
These are just some of the most common questions I am being asked.
Data protection is booming, and, consequently, the individuals and companies offering GDPR services. Without questioning anyone skills, it is important underlining that, whereas a DPO should not necessarily be a lawyer, it would be advisable nominating someone with a legal background and solid experience in the data protection field.
The Data Protection Officer (DPO) will definitely be a key position under the GDPR as it is meant to help both, data controllers and data processors, in complying with the GDPR requirements.
Besides that, the DPO will also be the contact point for data subjects and for the supervisory Authority, consequently, it is clear that such person should be nominated for his in-depth knowledge of data protection laws in relation to the industry (or industries) in which he will operate.
When a DPO should be appointed by law?
In some cases having a DPO is simply not an option. The following points apply to every organisation offering its products or services in the EU.
- Public authorities or bodies (except Courts, when acting in their judicial capabilities),
- Organisations which systematically monitor data subjects on a large scale basis as a part of their core business, (legal skills would be greatly helpful in assessing the purpose, the means, and possible prejudice to others’ rights)
- Those organisations processing on a large scale basis sensitive data (including criminal offences). Here the situation is slightly more complex since – besides purpose and means – it will be crucial assessing the legal basis for processing…
Which tasks is a DPO meant to perform?
- GDPR (and other applicable data protection law) guidance, to data controllers and data processors. It is clear here that, besides privacy, is important knowing the specific industry and its challenges to be effective as a DPO,
- Data protection monitoring activities (including controllers/processors policies, training, assignment of responsibilities, processing activities and audits). The DPO is not just supposed to monitor the aforementioned activities but he shall also provide advice whenever needed. Whilst, I acknowledge that other professionals (i.e. cybersecurity specialists) may concur in creating a solid compliance program, a DPO should supervision the entire data processing activities and their interactions with other legal issues, if not someone with a strong legal background I really don’t know who can do the job.
- Perform and monitor the results of a Data Protection Impact Assessment (DPIA), particularly in relation to third parties rights,
- Being the contact point – and consult, whenever appropriate – the supervisory authority. Again, privacy is a multifaceted issue but words carry a lot of weight, and, eventually, someone (the DPO) should put everything together. Who better than a lawyer?
- Dealing with enquiries and complaints (the bold is not casual here)
Again, why a DPO should be a lawyer?
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
As pointed out above, the Regulation doesn’t require a lawyer, however, there is an aspect I would like to underline; a legal qualification is a tangible asset. Organisations should not find difficult demonstrating that their DPO was qualified.
Conversely, ‘professional qualities’ not supported by academic nor recognised qualifications might be more difficult to demonstrate. This doesn’t automatically mean that every lawyer is qualified to be a DPO, like in every other profession there are specialisations; as a dentist shouldn’t be allowed to perform heart surgery, likewise for any lawyer whose professional interests are far from data protection.
Moreover, 3 noteworthy points;
- ‘Expert knowledge of data protection law’. Every law lives in a country legal, social and economic environment (it’s not by chance that laws must comply with the Constitution to be valid), but who are the ones knowledgeable about the law? In my opinion the answer here is rather obvious.
- ‘Ability to fulfil the tasks..’ Here there might be room for other professionals to be DPOs; in case of laboratories studying human DNA, for instance, choosing an expert in the field can be an excellent option. However, academic qualifications play an important role. ( Would you choose a surgeon who is not med school graduated? Probably not)
- Professional insurance. Lawyers, for example, need to have one (rules may vary, so please, make sure it is the case), others may not bound to the same duties. Since fines under the GDPR can be relevant, it’s always a good idea verifying this upfront.