Less than a month before the GDPR coming into force, it happens more and more often to see discussions, both online and during conferences, about the DPO’s role, its skills and competencies , its operational activities, the fact that she/he can or can’t do his job effectively in the company where the GDPR has been implemented, its fair remuneration…
It is interesting to notice how it is still questionable whether it’s better for the DPO to be a legal expert with some level of IT competences or an IT expert with some level of legal competences…
Often the conclusion is that the DPO’s role is actually delegated to a department, which includes different figures that have the different required competencies; therefore knowing what the DPO’s real competences are does not have such an importance… as if to say that what an individual can lack scan to be offset by other colleagues, making the DPO a team.
The most interesting aspect is that all these discussions, and also the agenda of the many courses for DPO that invaded Italy, miss or relegate to a marginal position one of the tasks assigned to the DPO: the MONITORING, as article 39 GDPR states:
The data protection officer shall have at least the following tasks:
…
b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
This “forgetfulness” is understandable, if we consider the insufficient or absent familiarity with a monitoring activity, and therefore ultimately with AUDITS, of the major part of the aspirant DPOs…
The auditor’s activity is difficult, it can’t be improvised and requires specific competencies and methodology.
About that, it would actually be sufficient to look at the contents of the only certification for DPOs currently issued by an AUTHORITY, the Spanish one, and the relative scheme:
http://www.agpd.es/portalwebAGPD/temas/certificacion/index-ides-idphp.php
According to this scheme, the DPO (not his office) undergoes an assessment on three topics: legal competences (about general data protection regulations), competences about security and risk assessment and lastly AUDIT activities.
The scheme is a good example of the skills and competencies required for a DPO and should be used by those Controllers and Processors who are going to appoint that role.
Too often we forget that, when the DPO is mandatory, the Controller and the Processor have to identify professionally trained individuals and they must make explicit the criteria adopted for the choice, which obviously can be questioned by a third subject in charge of the control.
Similarly, these subjects are responsible for determining a fair remuneration for the DPO.
Individuals hired internally will hardly get an adequate compensation for their roles as DPOs. The matter concerns mostly those who come from outside the company to play that role.
Many adopt the latter solution for different reasons. Apart from the internal lack of competences, there’s a wrong, but widely held conviction that the DPO is the lightning rod for the legislative fulfillments, namely the subject responsible for the compliance to the regulations.
Nothing would be more wrong since the DPO is not even punishable for those processing activities that he manages within his activity as a DPO and the Controller and the Processor remain liable.
About that the Guidelines on Data Protection Officers state
Monitoring of compliance does not mean that it is the DPO who is personally responsible where there is an instance of non-compliance. The GDPR makes it clear that it is the controller, not the DPO, who is required to ‘implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation’ (Article 24(1)). Data protection compliance is a corporate responsibility of the data controller, not of the DPO.
In order to determine whether the compensation is fair or unfair, we need to define at least a benchmark.
For instance, if we state that a fair compensation would be 500 euros per day, it follows that 20.000 euros per year correspond to 40 days of work.
Is it reasonable to think that an external DPO would dedicate that time to his work in a company (or in an association or in a public entity…)?
It depends of course on the kind of organization, on its dimensions, on the types of processing, on the time dedicated to the processing (8 hours for 5 days as it normally happens in a company, 24 hours for 7 days as it happens in hospitals…).
It is probably a reasonable amount of time in a big organization that accidentally carries out processing of personal data, that has however chosen to have a DPO; it is probably also reasonable for a small organization that processes personal data.
It is obviously not reasonable for a big organization that processes personal data where a DPO, even external, should always be present.
Therefore, the DPO’s compensation is not a neutral element, freely determinable by the Controller and the Processor without any criteria, but as well as many other elements of this regulation (even though Controllers and Processors don’t really get that, since they still think of a direct link between action and sanction), an element that contributes to the evaluation of the actual compliance to the norm. A remuneration that is too low implies a low expertise of the DPO and/or a little amount of time to invest on the task; the Controller and the Processor will answer for these shortcomings during audits.
About that, we must take into account that the Guidelines on Processors of personal data state:
Having sufficient time to devote to DPO tasks is paramount. It is a good practice to establish a percentage of time for the DPO function where it is not performed on a full-time basis. It is also good practice to determine the time needed to carry out the function, the appropriate level of priority for DPO duties, and for the DPO (or the organisation) to draw up a work plan.
and then
In general, the more complex and/or sensitive the processing operations, the more resources must be given to the DPO. The data protection function must be effective and sufficiently well-resourced in relation to the data processing being carried out.
In particular, when DPO’s compensation is public (public entities or private companies’ expressions of interest), a value that seems inappropriate for the role could be a warning for those who have to identify the organizations to be screened; indeed, whoever has to carry out verifications while determining the action plan selects the organisations based on the risk of non-compliance.
[1] Personally I struggled to be able to mention the audit activities in a prestigious master for DPOs that I contributed to organizing.
[2] It is interesting to notice how consultancy and monitoring are typical ex-ante and ex-post of the Compliance, even though I personally believe that the DPO’s ex-post activity is far more similar to the audit.
(translated by Matilde Bobbio)