The role of the Data Protection Officer, in short DPO, is discussed in Chapter IV, Section 4 of the GDPR. If you are new to the subject, you might find it helpful to read our article What is a Data Protection Officer? as it might shed some light on the main questions regarding DPOs.
So lets take another look at the three situations that make appointing a DPO mandatory. The subject is treated in Article 37(1) of the GDPR.
the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale, or
the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offenses
Some of the terms in the above statements are not 100% clear. For example, public authority or body is not clearly defined by the GDPR. According to the WP29 these should be defined under national laws. Core activities, something we see more than once mentioned throughout the GDPR, refers to the key activities necessary to achieve the controller’s and/or the processor’s goals. Large scale is another term not defined within the GDPR. WP29 plans to offer more guidance regarding this term in the future. Until then we are left with a few examples of what could be considered ‘processing data on a large scale’: processing patient data in a hospital, processing data by telephone or internet service providers, processing travel data of individuals using a city’s public transportation system and more. However, processing patient data by a single physician is not considered large scale data processing.
Who can be a DPO and what are the benefits?
A few interesting question are who can actually become a DPO, what qualifications and how much experience should they have in the business? The GDPR offers some guidance on the matter in Article 37.
The level of expertise of a DPO is not clearly expressed in the GDPR. However, it should be in accordance to the complexity of the job, the amount of data processed within the organization and more. The more complex the processing activities, the more expertise the DPO should have. The professional qualities of a data protection officer are also not expressed in the GDPR. It is obvious that a good DPO should have knowledge of national and European laws and a very good understanding of the GDPR. A basic expertise in the business area of the organization might be helpful as well. High professional ethics are another requirement for a good DPO.
As far as benefits go, the most important one for a DPO is the great job security, as stated in Article 38(3). Data protection officers cannot be penalized for performing their tasks. They report only to the highest management level and they must not receive instructions regarding the exercise of their tasks.
The risks of being a DPO
There are certain risks associated with the position as outlined in a recent article published by the IAPP (International Association of Privacy Professionals). Laws worldwide vary and in some cases the DPO may face criminal liability for non-compliance.
Probably the strictest laws can be found in Hong Kong, where a DPO could face imprisonment of up to 5 years, depending on the severity of the non-compliance. The offenses range from failing to acquire consent for direct marketing, transferring data to a third party without consent, providing false information to the commissioner and more. Philippines and Singapore are two other countries that hold the DPO responsible in various cases and penalties can be between 6 month and 7 years in jail in the Philippines and between 1 and 3 years in Singapore. The violations punished in the Philippines range from unauthorized processing, accessing due to negligence, improper disposal to concealment of security breaches or unauthorized disclosure. In Malaysia if the violation relates to the cross-border restrictions, penalties could go from a fine of up to 300,000 Malaysian Ringgit (approximately $94,200 U.S.) and/or up to two year of imprisonment.
In the United Kingdom, a DPO can face criminal liability if
“(a) [K]new or ought to have known (i)that there was a risk that the contravention would occur, and (ii) that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but (b) failed to take reasonable steps to prevent the contravention.”
On the other hand, in Ireland, a DPO might face criminal liability if the violations have been committed with the director’s “consent or connivance of or to be attributable to any neglect on the part of a person”.
For both countries penalties are comprised of statutory damages, but no imprisonment.
Insurance policies might help mitigate some of these risks, especially in the case of civil liabilities. Criminal liabilities however, are not usually covered by insurance policies, so the DPO will need to take additional measures to mitigate those risks.
As a conclusion
The DPO job may not be an easy one under the GDPR, but it is surely important. While there are risks associated with the position, they can be mitigated by doing your job right and with integrity. An insurance policy should not be overlooked, especially when working with countries that have great fines in store for DPOs in the case of non-compliance.