The WP29 adopted on December 13 a guideline, in order to better defining to the role of the DPO in the GDPR.
WP29 DPO Guideline, at 3.5. point states that: Article 38(6) allows DPOs to ‘fulfil other tasks and duties’ but ‘any such tasks and duties do not result in a conflict of interests’.
WP29 DPO Guideline moreover at point 4.1 states that: “The absence of conflict of interests is closely linked to the requirement to act in an independent manner. Although DPOs are allowed to have other functions, they can only be entrusted with other tasks and duties provided that these do not give rise to conflicts of interests. This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.
GDPR Recital 97 states that “DPOs, should be in a position to perform their duties and tasks in an independent manner’ and GDPR Article 38(3) establishes some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation.
GDPR Recital 97 furthermore specifies that DPO ‘should assist the controller or the processor to monitor internal compliance with this Regulation’; and GDPR Article 39(1)(b) entrusts DPOs, among other duties, with the duty to monitor compliance with the GDPR.
WP29 Guidelines at 3.5 “Monitoring compliance with the GDPR” clarify that:
“As part of these duties to monitor compliance, DPOs may, in particular:
- collect information to identify processing activities,
- analyse and check the compliance of processing activities, and
- inform, advise and issue recommendations to the controller or the processor”
Furthermore WP29 DPO Guideline Introduction “In addition to facilitating compliance through the implementation of accountability tools (such as facilitating or carrying out data protection impact assessments and audits), DPOs act as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organization)”.
The DPO shall also have an advisory role, supporting a consistent application of Data Protection rules and company policies and procedures (e.g. data breach, management of requests coming from Authorities).
As a consequence of the above considerations, DPO Role could be defined as a Governance Role, similar to Compliance or Internal Audit Roles, that need independence, autonomy and segregation of duties versus management and operational roles.
About “Independence” in Audit Activities, ISACA ITAF 3, a Professional Practices Framework for IS Audit/Assurance, defines (at 2003 point 2.4) that an ICT Auditor could have “Non-Audit service or roles”, like “advice roles”, while maintaining Organisational and Professional Independence.
Specifically “the audit function should avoid performing non-audit roles in IS initiatives that require assumption of management responsibilities, because such roles could impair future independence”.
In ITAF3 examples are given of how an Auditor should act not to impair Independence.
Furthermore in GDPR, other meaningful points about DPO target activities, are:
- GDPR Article 32 (1 d); “Security of processing” states that “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing” should be implemented by the controller and the processor as appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The DPO should monitor security measures.
- GDPR Art. 28 (3)(h): “Data processor makes available to the controller all information necessary to demonstrate compliance with the (data processor’s) obligations and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.” The Controller DPO should verify Data processor Obligations.
- GDPR Article 35(2), also as of DPO Guideline 4.2, specifically requires that the controller ‘shall seek advice’ of the DPO when carrying out a DPIA. Article 39(1)(c), in turn, tasks the DPO with the duty to ‘provide advice where requested as regards the [DPIA] and monitor its performance’. The DPO should advise the DPIA.
Coordination of DPO, on the basis of a RACI Chart, with Compliance Officer, Risk Manager, Security Officer, Chief Privacy Officer (CPO) and other Management and Operational Roles is the key success factor to define the DPO Role.
RACI Chart is an important tool for an enterprise, to establish internal procedures and to define reciprocal interactions among internal roles, on the basis of being Accountable, Responsible, Consulted, Informed for each role.
The ISACA COBIT 5 framework for the governance and management of enterprise IT, is a leading-edge business optimization and growth roadmap that leverages proven practices, global thought leadership and ground-breaking tools to inspire IT innovation and fuel business success.
In a RACI Chart perspective, the ISACA COBIT 5 framework outlines main processes and controls under Responsibility of the DPO (or CPO in absence of GDPR full requirements), along with the Information System Life Cycle.
Main Cobit 5 Processes, that require a RACI coordination in DPO activities, are: Manage Quality, Manage Risk, Manage Security, Manage Solutions Identification and Build, Manage Organisational Change Enablement, Manage Knowledge, Monitor, Evaluate and Assess the System of Internal Control, Monitor, Evaluate and Assess Compliance with External Requirements.
Looking into Cobit 5 RACI Chart, the DPO (or CPO), shares its responsibility with the Security Manager in most control objectives of Cobit 5. Internal procedures should define reciprocal responsibilities between the two roles.
The ISACA Cobit 5 framework is helpful to define DPO Responsibilities and tasks.
Organizational and Performance Independence, in a way similar to that of Internal and Information Systems Auditors, is the key for DPO to avoid conflict of interests while fulfilling other tasks and duties.