The new General Data Protection Regulation (“GDPR”) could not have enlarged data controllers’ and data processors’ obligations and apply such great sanctions without anticipating the need for companies to appoint a Data Protection Officer (“DPO”).

While companies must now turn their focus on ensuring compliance with the GDPR every step of the way, the DPO will be a key player in reaching this goal.

Now this raises questions: who is the DPO? when is appointing a DPO mandatory? what are her/his main tasks? are there any other obligations?

I. Who?

The DPO may be an employee of the controller or processor, or an external contractor.

When considering appointing an employee as DPO, the companies should consider the following:

Companies can also sign a service contract with a third party, such as a law firm, to exercise the function of the DPO. Taking into consideration the tasks to be performed by the DPO (as described below at question 3), engaging a team and combining individual skills and strengths might prove to be more efficient.

When deciding whether the DPO should be an employee or a third party, companies will take into account some general criteria set by the GDPR: the basis of professional qualities, expert knowledge of data protection law and practices, as well as the ability to fulfil the required tasks.

A group of undertakings may decide to appoint a single DPO, but only as long as each establishment can easily and efficiently communicate with the DPO.

II. When?

Mandatory designation of the DPO

Appointing a GDPR is mandatory:

When assessing whether their operations can be considered as “large scale” operations, the companies should consider, among others, the number of data subjects concerned, volume of data, duration of processing activities or geographical extent of the processing activity.

The companies, acting either as data controller or data processor, must determine whether the processing carried out meets any of the previous conditions and if so, to immediately appoint a DPO.

Voluntary designation of the DPO

Even in cases where the appointment of the DPO is not mandatory, the Data Protection Working Party established by EU and also the Romanian Data Protection Authority (“DPA”) recommend to voluntarily appoint one. The reason? Ensuring compliance with the data privacy regulations and facilitating the communications between the DPA, the company, its employees and, most importantly, the data subjects. A voluntary appointment of a DPO may also be useful in case of a potential data breach or non-compliance, when the DPA will determine the applicable sanctions.

III. What?

The main activity of the DPO is to monitor compliance with the GDPR and advise the company in this respect. The GDPR lists DPOs minimum tasks:

Based on the practice established so far under many national laws requiring the appointment of a DPO since before the GDPR, DPOs often have responsibilities when it comes to record-keeping. They create inventories and hold a register of processing operations based on information provided to them by the various departments in their company responsible for the processing of personal data.

DPOs are required to adopt a risk-based approach in performing the tasks, taking into account the nature, scope, context and purposes of processing. In essence, DPOs should focus, primarily, on the higher-risk areas, without neglecting to monitor compliance of data processing operations that have comparatively lower level of risks.

IV. Other?

Although it may seem that once a DPO is appointed, the controller or processor has fulfilled its obligation, as usual, things are not that simple and the appointment is just the first step.

In order to secure the role of the DPO, the GDPR sets further obligations for controllers and processors:

Even though DPOs are responsible with regard to all processing of personal data within a company, they will not be responsible in case of non-compliance with the GDPR. Appointing a DPO is not an exception from the basic principle established by the GDPR that the controller or the processor is required to ensure and be able to demonstrate that the processing is performed in accordance with its provisions. Data protection is, has been and will remain a responsibility of the controller or the processor.

All in all, DPOs will play a crucial role in all companies starting with May 2018. Complying with the new requirements may as well start by appointing this key player.