Professional Documents
Culture Documents
Officer
Key points of the recent ODPC
guidance and the Article 29 Working
Group Guidance
September 2017
00
The Role of the Data Protection Officer
Introduction
Key points of the recent ODPC guidance, and
the Article 29 working group guidance
01
The Role of the Data Protection Officer
Mandatory Designation
Under Article 37(1) of the GDPR, data controllers and processors must
designate a DPO in any case where:
The WP29 has recommended that controllers and processors keep a record
of the internal analysis carried out to determine whether or not a DPO is to
be appointed in order to demonstrate that all relevant factors have been
taken into account. Keeping this record also satisfies the accountability
principle under the GDPR and must be considered an updateable and ‘live’
document.
02
The Role of the Data Protection Officer
4. Large Scale
Some examples listed by the WP29 of large scale processing are called out
as the processing of patient data in the regular course of business by a
hospital, processing of customer data in the regular course of business by
an insurance company or bank, processing of personal data for behavioural
advertising by a search engine.
Some examples listed by the WP29 of regular and systematic monitoring are
in relation to all forms of tracking, profiling and monitoring of the behaviour
of data subjects such as targeted marketing activities, profiling and scoring
for a risk assessment (fraud prevention AML controls, credit scoring,
calculation of insurance premiums etc.), location tracking etc.
03
The Role of the Data Protection Officer
2. Professional Qualifications
04
The Role of the Data Protection Officer
Ability to fulfil its tasks refers to the integrity and high professional ethics of
the individual named as DPO as well as enabling and fostering compliance
with the GDPR and data protection through elements such as the principles
of data processing, data subject rights, data protection by design and by
default, record keeping of processing activities, security of processing and
breach notification and handling.
Appointing the DPO on the basis of a service contract can be concluded with
an individual or an organisation outside of the controllers or processors
organisation ensuring that there are no conflicts of interests and that such
individual is protected by the provisions of the GDPR. A team of individuals
can also be structured in order to efficiently serve clients as long as there is
clear allocation of tasks and a lead contact and person in charge for each
client. These points should be covered under the service contract.
05
The Role of the Data Protection Officer
Necessary Resources
The DPO and these heads of functions could be the same person but the
general thinking is that this could cause an independence and workload issue.
There will therefore be some grey areas between these heads of functions
and the DPO in terms of roles and responsibilities.
Conflicts of interests
The DPO may fulfil other tasks and duties however, these duties must not
conflict with their data protection duties. The independence requirement is
strengthened here and a DPO cannot hold a position within an organisation
that leads him/her to determine the purposes and means of processing
personal data.
06
Tasks of the DPO
The DPO must monitor compliance with the GDPR. In order to do this, the
DPO may:
Contact
Sean Smith
Partner| Risk Advisory
Email: seansmith1@deloitte.ie
Donal Murray
Director | Risk Advisory
Email: donmurray@deloitte.ie
Nicola Flannery
Senior Manager | Risk Advisory
Email: niflannery@deloitte.ie
07
Contact
At Deloitte, we make an impact that matters for our clients, our people,
our profession, and in the wider society by delivering the solutions and
insights they need to address their most complex business challenges.
As one of the largest global professional services and consulting
networks, with over 244,400 professionals in more than 150 countries,
we bring world-class capabilities and high-quality services to our clients.
In Ireland, Deloitte has over 2,300 people providing audit, tax,
consulting, and corporate finance services to public and private clients
spanning multiple industries. Our people have the leadership
capabilities, experience, and insight to collaborate with clients so they
can move forward with confidence.