Out of the 4 guidelines promised by the FabLab by year-end, the WP29 adopted on December 13 the first one, dedicated to the role of the DPO. It does not obviously contain new regulations but interpretations, examples and best practices, highly desirable because (as stated by the WP29 itself) the GDPR contains several ambiguities.
I omit discussing the specification of mandatory rules for the appointment, for which in my opinion national standards will prevail. About the professional features of the figure only obvious things are said, like that “the greater the complexity of the treatment, the greater must be the skills and experience of the DPO”. Interesting however is the waited clarification on the possibility of appointing not only a person (internal or external) but also an external entity: “The function of the DPO can be exercised as well on the basis of a service contract concluded with an individual or an organization outside the controller’s / processor’s organization”; therefore it will not be essential to indicate the name of a contact person among the references to be made public: “The contact details of the DPO should include information allowing data subjects and the Supervisory Authorities to reach the DPO in an easy way (to postal address, a dedicated telephone number, and a dedicated e-mail address). […] Article 37 (7) does not require that the published contact details should include the name of the DPO”.
A few notes on the role and position in the organization chart of the DPO. The first question is whether the DPO is personally responsible for implementation of privacy in the company (thus coinciding with the Privacy Officer or Compliance Manager) or whether it is a monitoring figure (necessarily distinct from the previous ones, to avoid self-monitoring): in this regard it would seem that the WP29 takes a position in favor of the latter proposition. Already in the introduction, we can read “DPOs are not personally responsible in case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions “.
As for the position, it is said that the DPO should be “involved” in all matters relating to data protection: it follows that he/she will be involved in managing activities wich are in charge to other figures. To carry out Data Protection Impact Assessment, “the GDPR Explicitly Provides for the early involvement of the DPO and the controller specifies that shall seek the advice of the DPO when carrying out such impact assessments”: we are back to the “involvement” and to request for an “opinion”. To facilitate compliance to GDPR the DPO must be “informed and consulted”. If the organization decides not to follow the recommendations of the DPO, it is recommended to display the reasons for disagreement; it follows that the DPO is seen in some way as a third party, as it would be difficult for him to disagree with himself… In the paragraph on the autonomy of the DPO, it is provided that “the controller or processor remains responsible for compliance with data protection law and must be able to demonstrate compliance. If the controller or processor makes decisions that are incompatible with the GDPR and the DPO’s advice, the DPO should be given the possibility to make his or her dissenting opinion clear to those making the decisions”. It would seem that the DPO only expresses an opinion but decisions are taken by somebody else, then we would be facing a control figure, with no executive responsibilities. It should however be noted that in the section concerning the conflict of interest, listing (as examples) the figures which are incompatible with the role, “chief executive, chief operating, chief financial, chief medical officer, head of marketing department, Human Resources or IT” are listed along with other not apical roles, if these positions lead to the determination of the purposes and methods of processing: Privacy Officer or Compliance Manager, being absent from the list, could therefore appear not incompatible with the DPO role as they do not determine the purposes and methods of processing.
Coming to the tasks, we go explicitly back to “Monitoring compliance with the GDPR”, action during which the DPO can collect data, analyze compliance, and finally “inform, advise and issue recommendations to the controller or the processor”. Here the opinion of WP29 becomes peremptory: “Monitoring of compliance does not mean that it is the DPO who is personally responsible where there is an instance of non-compliance. The GDPR makes it clear that it is the controller, not the DPO, who is required to ‘implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation’. Data protection compliance is a corporate responsibility of the data controller, not of the DPO”. A similar approach is taken with regard to the role of the DPO in respect of carrying out DPIA. We find instead a more nuanced position on the record-keeping: while reaffirming that responsibility for this fulfillment is in charge to the controller or processor and not to the DPO, it is recognized that in fact he’ll keep the register “as one of the tools enabling the DPO to perform its tasks of monitoring compliance. ”
Interesting finally is the nod to actions prioritization on a risk-based approach: how I happened to answer in the course of a lesson to a student’s question “but how can I do to make everything at once?”, it is suggested to state an action plan that gives priority to commissioning compliance of the processings that pose a greater risk for data protection “taking into account the nature, scope, context and purposes of processing.” The WP29 suggests that a selective and pragmatic approach will enable enterprises to achieve good results in terms of accountability.
You can find here the WP document 243 Guidelines on Data Protection Officers
and here the FAQ (that do not add much) WP243 ANNEX – FREQUENTLY ASKED QUESTIONS