On April 5, 2017, the Article 29 Working Party (WP29) adopted a revised version of its guidelines on data protection officers. Even though most of the changes are minor, WP29 introduces some new points which have to be carefully considered:
The DPO is designated for all organisation’s processing operations
When an organisation appoints a DPO, either on a mandatory or on a voluntary basis, he/she is responsible for all the processing activities carried out by the controller or the processor. Therefore, an organisation cannot appoint a DPO to only one division and keep him/her away from the rest of the organisation.
To ensure the efficient communication the DPO can count on his/her team
According to the initial guidelines the DPO must be able to communicate efficiently with the data subjects and to cooperate with the supervisory authorities in the language(s) used by the data subject and the supervisory authorities. However, the DPO is not obligated to be able to speak all European Union (EU) languages. This requirement can be fulfilled with the help of a team.
The DPO should be accessible
To make sure that the DPO is accessible, it is recommended to locate the DPO within the EU, even if the controller or the processor are not established in the EU. However, an exception can be made, if the controller or the processor are not established within the EU and the DPO is able to execute his/her tasks more effectively outside of the EU.
The DPO reports directly to the highest management level
Part of the DPO’s mission is to inform and advise the controller or the processor, therefore the guidelines require the DPO to report directly to the highest management level of the controller or the processor. The reasoning behind such an arrangement is explained by WP29:
“Such direct reporting ensures that senior management (e.g. board of directors) is aware of the DPO’s advice and recommendations as part of the DPO’s mission to inform and advise the controller or the processor. Another example of direct reporting is the drafting of an annual report of the DPO’s activities provided to the highest management level.”
In conclusion, the decision to hire the DPO will bring you one step closer towards a GDPR compliant data governance. It doesn’t matter whether you’re a big, small or medium – sized organisation, the time has come to think about determining, who will take the DPO’s role in your organisation.