Do you need to appoint a data protection officer? when is mandatory, requirements, role, tasks and duties and average salary
What is a data protection officer
The GDPR does not provide with an explicit definition of what a Data Protection Officer is. The meaning is, however, inferred from articles 37 to 39 which regulate the tasks and prerogatives associated with this role.
Hence, the data protection officer may be defined as an organisation or individual with expertise on personal data protection legislation which acts with independence, assessing the controller or processor, monitoring compliance and serving as point of contact for data protection authorities and data subjects.
When appointing a data protection officer is mandatory
Pursuant to GDPR, the controller and the processor should designate a data protection officer in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
These three cases are the only scenarios where the GDPR sets out the appointment of a DPO as mandatory, however, national Member State law may introduce further cases where a Data Protection Officer is required, specially where the controller or processor is a private organisation exercising public authority.
Regarding the concepts “core activities”, “regular and systematic” and “processing on a large scale”, these were explained by the A29WP on their “Guidelines on Data Protection Officers” (WP243).
What does core activities mean
As stated by the A29WP, “«core activities» can be considered as the key operations necessary to achieve the controller’s or processor’s goals. However, «core activities» should not be interpreted as excluding activities where the processing of data forms an inextricable part of the controller’s or processor’s activity”.
For instance, the core activity of an hospital is to provide health care, however to render that service effectively and securely the hospital requires to process health data.
On the other hand, support functions to the organisation’s core activity such as standard IT support activities or paying employees are usually considered ancillary and does not trigger the requirement to appoint a DPO.
What does regular and systematic mean
According to the A29WP, “regular” means one or more of the following:
- Ongoing or occurring at particular intervals for a particular period;
- Recurring or repeated at fixed times; or
- Constantly or periodically taking place.
- Occurring according to a system;
- Pre-arranged, organised or methodical;
- Taking place as part of a general plan for data collection; or
- Carried out as part of a strategy.
What does large scale mean
The concept of “large scale” is not a defined threshold but a series of factors that must be evaluated in order to determine whether or not the processing happens on a large scale basis. Thus, the A29WP considered that the following should be analysed:
- the number of data subjects concerned – either as a specific number or as a proportion of the relevant population;
- the volume of data and/or the range of different data items being processed;
- the duration, or permanence, of the data processing activity; and
- the geographical extent of the processing activity.
Legal requirements to designate a data protection officer
A data protection officer is a contact point for data subjects and supervisory authorities, but also internally within the organisation, since one of their tasks is “to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions”.
For a DPO to carry out their tasks effectively, their contact details must be published and communicated to supervisory authorities and any communications with data subjects or supervisory authorities must take place in the language used by the data subjects or supervisory authorities concerned.
The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
Furthermore, as a good practice the WP29 recommends organisations to inform their employees of the name and contact details of the DPO.
On these conditions,a group of undertakings are entitled to appoint a single DPO insofar it is “easily accessible from each establishment”.
The same applies where the controller or processor is a public authority or body, which are also entitled to designate a single DPO for several such authorities or bodies, “taking account of their organisational structure and size”.
Data protection officer in the EU
To ensure that a data protection officer is accessible, the WP29 recommends that the DPO be located within the EU, whether or not the controller or processor is established in the European Union.
Nonetheless, it also acknowledges that there might be situations where the controller or processor has no establishment within the EU and the DPO may be able to carry out their activities more effectively if located outside the EU.
Expertise and skills
As set out by Article 37.5 of the GDPR, “the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
The level of expertise is not set by the GDPR but it should take into account the sensitivity, amount of data and complexity of the processing activities. Knowledge of national and European data protection laws, the GDPR, the business sector, the operations carried out and information systems and data security requirements should also be considered.
Registration of the data protection officer
The GDPR also requires that contact details of the DPO are communicated to the relevant supervisory authorities.
The registration procedure may vary from one Member State to another. For instance, in Spain, controllers and processors which need or desire to register the appointment of a DPO can carry out that obligation through the e-site of the Spanish data protection authority (AEPD) here.
Certification of data protection officers
Certification is not required to be appointed and exercise as a data protection officer. However, obtaining a certification proofs competence and many organisations require their candidates to a DPO position to present a valid recognised certification in privacy or as a DPO.
Role of the data protection officer
The role of the data protection officer consist primarly on advising the controller or processor in all issues relating to the protection of personal data. To carry out his or her tasks, data protection officers must be given the necessary support and resources and they are expected to act with independence and maintain confidentiality in the performance of their tasks.
Involvement in all issues relating to the protection of personal data
The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
The involvement of the DPO in all data protection issues and projects where personal data is processed from the very outset helps promoting privacy by design and by default within the organisation. Some examples by the A29WP on how a data protection officer should be involved include:
- Invite them to participate regularly in meetings of senior and middle management.
- Ensure their presence where decisions with data protection implications are taken.
- Give due weight to their opinion and document the reasons for not following their advice.
- Consult them promptly when a data breach or another incident occurs.
Support and resources
The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
To effectively provide a DPO with the necessary resources, the A29WP recommends considering the following items:
- active support by senior management;
- sufficient time to fulfil their duties;
- adequate support in terms of financial resources, infrastructure and staff, where appropriate;
- official communication of the designation of the DPO to all staff;
- necessary access to other services, such as Human Resources, legal, IT, etc.;
- continuous training; and
- setting up a DPO team, where appropriate and because of the size and structure of the organisation.
The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of [their] tasks.
For instance, the A29WP highlights that DPOs must not be instructed on, inter alia:
- what result should be achieved;
- how to investigate a complaint;
- whether to consult the supervisory authority; or
- to take a certain view of an issue related to data protection law.
In addition, Article 38.3 of the GDPR states that “the data protection officer shall directly report to the highest management level of the controller or the processor”.
Whereas data protection officers are independent and report to the highest level, this does not mean, however, that they have decision-making powers extending their tasks; controllers and processors are the entities or individuals responsible for compliance with data protection laws.
Finally, to reinforce the independence of DPO’s the GDPR protects them from being dismissed or penalised by the controller or the processor for performing their tasks.
A penalty here should be constructed not only as dismissal or a financial cost, but also indirect varieties such as an absence or delay of promotion, prevention from career advancement or a mere threat thereof.
Data protection officers are bound by secrecy or confidentiality concerning the performance of their tasks, in accordance with Union or Member State law. This duty is especially important and often overlooked by in-house DPO’s and the organisation’s employees.
Even where a DPO has been appointed by a controller or processor, the DPO is independent and has to maintain confidentiality in any communications with employees of that data controller or processor, otherwise employees would be reluctant to communicate data protection issues and the task of the DPO would be hindered.
Conflict of interests
The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
Closely related to the requirement to act with independence, DPO’s are allowed to perform other tasks and duties insofar as these are not in conflict with the role of data protection officer.
According to the A29WP, this entails in particular “that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data”.
Tasks and duties of a data protection officer
Article 39 of the GDPR sets out the minimum tasks that a data protection officer is required to carry out.
Advising and monitoring compliance
As part of their tasks, the GDPR requires DPO’s “to inform and advise the controller or processor and the employees who carry out processing operations of their obligations pursuant to [the GDPR] and other Union or Member State data protection provisions”.
However, their role is not limited to inform and advise but it goes further as GDPR requires data protection officers to monitor compliance with regulations, which means that they should proactively collect information about data processing activities, analyse and check those processings and inform or advise of any gaps or non-conformities.
To perform this task correctly, a data protection officer should not only consider data protection laws, but also “ the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits”.
Data protection impact assessments
Article 39.1.c of the GDPR establishes that data protection officers must “provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35”. In correlation, Article 35 requires the controller “to seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment”.
The obligation to carry out a data protection impact assessment is a responsibility of the controller or processor, and not of the data protection officer. The task of the DPO concerning DPIAs consists on advising and not on performing, unless otherwise stated on the employment or services contract.
It is clear then that the controller must seek advice of the data protection officer when carrying out a data protection officer but, to what extent? A29WP provides some guidelines on that, recommending controllers to seek the advice of the DPO on the following issues, among others:
- whether or not to carry out a DPIA;
- what methodology to follow;
- whether to carry out the DPIA in-house or whether to outsource it;
- what safeguards to apply to mitigate any risks to the rights and interests of data subjects; and
- whether or not the data protection impact assessment has been correctly carried out and whether its conclusions are in compliance with the GDPR.
Cooperation and contact point
As Article 39.1.(d) and (e) of the GDPR state, data protection officers shall “cooperate with the supervisory authority” and “act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter”.
The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
The above provision means that a data protection officer should focus his or her efforts and prioritise those issues or non-compliance activities which present higher data protection risks. This does not mean, however, that other operations with lower risks should be neglected.
Tasks outlined in the job description
Finally, since the tasks of the data protection officer set out by Article 39 of the GDPR are the minimum required and vague, it is highly recommended that the data protection officer and the controller or processor clearly outline the precise tasks of the DPO and their scope.
This might be done on the contract job description, where the data protection officer is to be appointed in-house, or in the services arrangement when appointing an external DPO.
Average salary of a data protection officer
According to the latest salary survey of privacy professionals carried out by IAPP for 2019, data protection officers average a salary of about $100,000, which is one of the lowest salaries amongst privacy professionals, just above privacy analysts.
There is a strong gap between salaries of privacy professionals in the US and their counterparts around the world which is also reflected on DPO’s salaries.
Thus, whereas data protection officers average a median salary of about $140,000 in the US, their counterparts in the E.U., including the U.K., average about $88,000.