Under the General Data Protection Regulation (GDPR), when an organisation must or choose to appoint a Data Protection Officer (see here), the latter must, at least, be in charge of the following tasks:
• informing and advising the controller or the processor and their employees who carry out processing operations of their obligations according to this Regulation and to other Union or Member State data protection provisions
• monitoring compliance with the GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations and the related audits ;
• Providing advice where requested as regards the data protection impact assessment and monitor its performance;
• Cooperating with the supervisory authority;
• Acting as the contact point for the supervisory authority on issues relating to processing, including the prior consultation.
The EDPB has provided guidelines as to how such tasks should be carried out, any tasks that could be added and the DPO liabilities.
1. Monitoring compliance with the GDPR
Monitoring compliance entails that DPOs do the following :
• Collect information to identify processing activities;
• Analyse and check the compliance of processing activities; and
• Inform, advise and issue recommendations to the controller or the processor
2. Data Protection Impact Assessment (DPIA)
With regard to DPIA, the DPO should advise on the following:
• Whether or not to carry out a DPIA;
• What methodology to follow when carrying out a DPIA;
• Whether to carry out the DPIA in-house or with the help of an external consultant;
• What safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects;
• Whether or not the DPIA has been correctly carried out and whether its conclusions comply with the GDPR (i.e. whether or not to go ahead with the processing and what safeguards to apply).
If the controller disagrees with the DPO, the DPIA documentation should specifically justify in writing why the advice has not been followed.
3. Risk-based approach
The DPO should prioritise his/her activities and focus his/her efforts on issues that present higher data protection risks.
Amongst others, the DPO should advise the controller what methodology to use when carrying out a DPIA, which area should be subject to a data protection audit, which internal training to provide to staff etc.
4. DPO role in record-keeping
Under the GDPR, the controller or the processor are required to maintain a record of processing operations carried out under their responsibility or on behalf of the controller.
Although maintaining the record of processing activities is not a required task of the DPO, it is possible to contractually assign this task to him/her.
Even though controllers or processors may appoint a DPO to ensure their compliance with any data protection regulation applicable to their processing activities, they remain responsible vis à vis the authorities and the individuals for any breach of the GDPR or of any related regulation.
If you have any question, do not hesitate to contact Arnaud Blanc, French & UK qualified lawyer based in France.