DPO: better a service or an employee?

By | Sunday May 8th, 2016

The Regulation 2016/679 (GDPR) introduces a new role: the Data Protection Officer (DPO). Mandatory for some categories of Controllers and Processors and optional for the remaining ones (see article 37), the DPO plays a peculiar role within the controller’s organization.

The GDPR defines the main DPO tasks (article 39 for details): inform and advice …monitor compliance …, “provide advice …, cooperate with the supervisory authority …, act as the contact point for the supervisory authority … .

Clearly, no operational tasks are assigned to the DPO by the GDPR, even if other tasks can be assigned to the person acting as DPO if they do not result in a conflict of interests.

So, is the DPO responsible for the compliance of the organization? I would answer no. Furthermore, I would say that he cannot be the person responsible for ensuring the compliance to the GDPR otherwise he/she should monitor him/herself.

Having said that, another question arises immediately: given that the GPDR explicitly states that the DPO function can be supplied by an external service provider, which is the best choice between appointing an employee or buying a service from a specialized supplier?

The answer, of course, depends on many factors: the size of the organization, the existence of such a competence inside, the kinds of personal data and processing and so on. Some of such factors depend on the service as well: industry specific competence really seems a key factor for a service to be useful, particularly for those industries with less privacy mindsetting and experience.

Category: Data Protection Officer Roles and Liabilities Tags: , , , ,

About Sergio Fumagalli

Vice President Zeropiu Spa, system integrator specialized in digital identity and data security with operations in Italy and in the Nordics. After serving as MP in the Italian Parliament, I started a professional collaboration with the Data Protection Italian Authority and a professional activity on these topics. Co-author of “Privacy guida agli adempimenti”, IPSOA, 2004, 2005 a book on compliance to the Italian Law. Since 2008 member of the Oracle Community for Security - http://c4s.clusit.it/views/Homepage.html - and since 2014 member of the board of Clusit a leader association on IT Security in Italy Between 2004 and 2012 member of the board of Webank Spa, the online banc of the Banca Popolare di Milano group.

5 thoughts on “DPO: better a service or an employee?

  1. paolo calvi

    Questo interessante report dalle giornate londinesi che IAPP ha dedicato al GDPR (e in particolare alla figura del DPO) risponde almeno in parte alla tua domanda. Secondo Paul Jordan (Managing Director IAPP Europe):
    1) il DPO non sarà il Chief Privacy Officer già presente nelle aziende (è quello che vado dicendo anch’io da tempo, visto che il CPO ha compiti gestionali mentre il DPO è una figura di controllo);
    2) il DPO non sarà il Legale interno all’azienda;
    3) il DPO non sarà affidato a Studi Legali esterni, che potrebbero avere un conflitto di interessi.
    Quindi IAPP vede una crescita per le “emerging specialized consultant organizations created for the sole purpose of serving as an out-sourced DPO”.
    https://iapp.org/news/a/notes-from-the-iapp-europe-managing-director-april-22-2016/

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.