WP 29 Issued Guidelines on Data Protection Officers (« DPO »), 16/EN WP 243
The WP 29 ( Data Protection Working Party)has approved and issued GL on DPO’s as according to the European General Data Protection Regulation («GDPR »).
WP 29 underlines that the DPO is the cornerstone of accountability for data protection and security as of the entering into force of GDPR in May 2018.
DPO not only facilitate compliance through the implementation of accountbility tools ( such as carrying out data protection impact assessment and auditing ) , but DPO can also act as intermediates between supervisory authorities, data subjects , and business units within an organisation. Although the DPO under GDPR will not be computing for ALL structures , it is expected that companies (of all sizes) will appoint a DPO for the benefit of the competitive advantage for businesses. Germany has already stated, that they will keep the DPO institution ( as was mainly compulsory already under the Bundesdatenschutz Gesetz). The DPO though will be compulsory for activities such as listed in art 37 of the GDPR, ie eg for public authorities and , for an organisation where the primary activity for controllers and processors is indeed : processing personal data , ie carried out on a large scale.
DPO’s primary task will be enabling the organisations to be compliant with the GDPR. As this is a tricky job for an IT specialist alone ( as well as for a lawyer alone), WP 29 suggests that DPO for the sake of obtaining the necessary support to carry out efficiently his/her functions may require to build a team of resources ( eg HR, IT, Legal, security). DPO may wisely be chosen from outside (NB : GDPR authorises in and outside DPO’s) , as does not carry the risk of conflict of interest with the organisation, and is considered to be neutral ; DPO by all means should be well trained.
DPO takes care of any aspect of preventive data protection & security : monitoring of compliance , training of compliance , data record registry present and future. His role is also fundamental in a data protection impact assessment , art 35 GDPR ; knowing that here the data controller will most probably delegate his/her obligation. DPO assumes the role in impeccably record-keeping of all processing operations. This last role will be fundamental as GDPR provides for exhorbitant fines if the contoller ( but also the processor) cannot document consequent record keeping of data treatments. Controller ( and processor) will have to rely on a data protection documentation without any gaps ( in case of dawn raids and inspections), as it is a neccessary element of accountability under GDPR.
As to M&A activities : an incomplete data protection documentation may in future turn out to be on the list as a MAE issue ( « Material adverse event »).
DPO : a full time job ahead ?