Does my entity need a Data Protection Officer? Should this figure be held by a lawyer? Before answering the first question posed, it is useful to know some differences between a Data Protection Officer (“DPO”) and a lawyer. The difference lies in the fact that the DPO has an independent role and offers a multidisciplinary vision that goes beyond a simple legal advice. In the following sections, we will answer the first query, knowing more precisely those cases in which a DPO must be appointed, the functions that a DPO carries out, as well as knowing the relations of this figure with the different agents, inside and outside the organisation.
Let us begin. A DPO is a new figure introduced by the data protection regulation to guarantee compliance within this legal framework in an entity. It may be either an individual or a legal entity, provided that it coincides in a profile of data protection expert and, furthermore, has specialist knowledge in law, although for this it is not mandatory to be a lawyer.
Subsequently, after this first approximation, it is now necessary to know in which cases it operates, and therefore to know whether its appointment is necessary. According to the regulation, the appointment of the DPO will be mandatory, when (i) the processing is carried out by a public body; (ii) the processing operations involve the processing of large amounts of personal data on a “large scale“; or (iii) the processing operations consist of the processing on a “large scale” of special categories of personal data (e.g. health, genetic or biometric data).
In contrast, if one of the three scenarios occurs, then such designation will be mandatory, regardless of other aspects such as the size of the company or its sector of activity, among others. Thus, without going into the matter of designation, it should be added that the designation must publish the contact details of the DPO, in order to clearly establish the point of contact between the entity and the data subject; and, in addition, the appointment, renewal and termination of the DPO must be communicated to the competent supervisory authority (e.g. www.aepd.es).
On that sense, whether we are in force or not, if we wish to appoint a DPO, the designed person must, as a minimum, carry out the following functions within the organisation, we shall see: (i) inform and advise on the obligations arising from the data protection regulations, with a multidisciplinary vision that goes beyond the purely legal aspects (e.g. privacy by design and by default); (ii) supervise compliance in an independent manner (e.g. internal auditor), raise awareness and train staff in data protection; (iii) advise on a Data Protection Impact Assessment; (iv) cooperate with the competent supervisory authority; and, (v) serve as a contact point with that supervisory authority.
To sum up, our recommendation is that you should be well informed about this new figure, be aware of it, and more importantly, that when you choose a DPO, both the Controller and/or Processor should ensure that the individual in charge is aware of the DPD’s data protection expertise; for a simple reason, a mala praxis by the designed DPD could entail some risks of non-compliance with the regulation, and as well as creating setback that would prevent or delay the company’s activity, and even the organisation’s innovation. Therefore, according to Article 83.4 of the RGPD, such non-compliance with the referred regulation, may lead to infringements and shall be subject to administrative fines up to 10 million euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, and won’t prescribed after two years.