Under the new European General Data Protection Regulation (GDPR), the Data Protection Officer, where (s)he is appointed, must be in charge as a minimum of the following tasks:
• To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions
• To monitor compliance with the GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection personal data, including the assignment of responsabilities, awareness-raising and training of staff involved in processing operations and the related audits ;
• To provide advice where requested as regards the data protection impact assessment and monitor its performance
• To cooperate with the supervisory authority
• To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation and to consult whereappropriate, with regard to any other matter
When monitoring compliance with the GDPR, it is expected that DPOs do the following :
• Collect information to identify processing activities
• Analyse and check the compliance of processing activities ; and
• Inform advise and issue recommendations to the controller or the processor
When it comes to privacy impact assessment (DPIA), the DPO should advise on the following:
• Whether or not to carry out a DPIA
• What methodology to follow when carrying out a DPIA
• Whether to carry out the DPIA in-house or with the help of external consultant
• What safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects
• Whether or not the DPIA has been correctly carried out and whether its conclusions are in compliance with the GDPR (i.e. whether or not to go ahead with the processing and what safeguards to apply)
If the controller disagrees with the DPO, the DPIA documentation should specifically justify in writing why the advice has not been taken into account.
Risk based approach
The DPO should prioritise his/her activities and focus his/her eforts on issues that present higher data protection risks.
Amongst other, the DPO should advise the controller what methodoology to use when carrying out a DPIA, which area should be subject to a data protection audit, which internal training to provide to staff etc.
DPO role in record keeping
Under the GDPR, the controller or the processor are required to maitain a record of processing operations under their responsibility or that they carry out on behalf of the controller.
Holding the register is not a mandatory task of the DPO but nothing prevent from assigning this task to the DPO.
Even though the DPO is appointed by a controller or a processor to ensure their compliance with any data protection regulation applicable to their processing activities, the controller or the processor remains responsible vis à vis the authorities and the individuals for any breach of the GDPR or any related regulation.