A full version of this article first appeared in Privacy Laws & Business.
It has been nearly two years since GDPR came into effect. Whilst most organisations have made substantial headway in complying with the GDPR, many are still grappling with the appointment of a Data Protection Officer (DPO) or have found that their initial arrangements are not working, and they need to re-think their DPO appointment.
While Article 29 Working Party Guidelines on Data Protection Officers provides some guidance for organisations on when a DPO should be designated under Article 37 of the GDPR and what their tasks might be, the appointment of a DPO has not been and is not an easy task.
Many organisations take several months to recruit a DPO and, given a lack of suitably experienced candidates, have found that the best option is to appoint an outsourced DPO to perform those services. This appointment may either be on a long-term, ongoing basis, or on a short-term basis whilst a less experienced individual gets up to speed with data protection legislation. In either case, it is important for an organisation to understand what is required from an outsourced DPO.
How can a DPO be appointed under the GDPR?
Article 37(2) states “a group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment”, therefore in practice a group of entities may appoint one DPO. Furthermore, Article 37(6) states that “the data protection officer may be a staff member of the controller or processor or fulfil the tasks on the basis of a service contract”. Additionally, section 2.5 of the A29 WP Guidelines states that “the function of the DPO can also be exercised on the basis of a service contract concluded with an individual or an organisation outside the controller’s/ processor’s organisation”.
Outsourcing any services for an organisation is an important decision and given the responsibilities imposed on a DPO and the legal and reputational ramifications, organisations must consider the following factors carefully when entering into a contract for the provision of DPO services.
The DPO’s experience
The DPO should be appointed on the basis of “professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil tasks referred to in Article 39 of the GDPR” (Article 37(5)). It is important for organisations to ensure that a DPO is a fit culturally, that they understand the industry in which they operate and that the key tasks and responsibilities are clearly set out.
Conflict of interests
The requirements of Article 38(6) allow a DPO to “fulfil other tasks and duties” provided that “any such tasks and duties do not result in a conflict of interest”. It is therefore important to ensure that the contract specifies any scenarios whereby the DPO provider may face a conflict of interest, for example providing advice to two DPO clients on the same matter or transaction, and what should happen in this situation, for example requesting they notify the client of any potential conflict of interest, step down from one of the roles or seek additional legal advice from another source if necessary.
As GDPR is very prescriptive in the tasks that the DPO must fulfil, the contract should set these out clearly. The key tasks are as follows:
Training and awareness: The contract should make provision for the DPO to deliver regular data protection training to ensure that awareness of data protection legislation remains high within the organisation. Organisations should also ensure that the contract mandates regular meetings with the organisation to ensure that the DPO “is involved, properly and in a timely manner, in all issues which relate to the protection of personal data”.
If the DPO Contract covers a group of companies, it will be important to ensure that this requirement is mandated across all group companies regardless of their location in the world.
Accessibility of the DPO: When a DPO is appointed for a group of companies, it will be important to include provisions detailing how the DPO can be contacted across all group companies to ensure that this person is easily accessible. In all cases, the details of the DPO should not only be registered with the relevant supervisory authority but full details of the DPO should also be posted internally.
Data protection impact assessments (DPIAs): Under Article 35 of GDPR, the DPO must be consulted when a DPIA is carried out. The contract should, therefore, state how the DPO will be contacted, and the procedure that will be followed to involve the DPO in the DPIA process. The DPO Contract should also set out how any decisions to send DPIAs to the relevant supervisory authority for prior consultation will be agreed.
Data subject complaints and individuals’ rights: As the DPO should be consulted on all matters relating to data protection, it is important that complaints are escalated to the DPO as quickly as possible. The contract should specify how data subject complaints will be escalated to the DPO and include details of how these will be dealt with.
Personal data breaches: The DPO must be consulted in relation to any personal data breaches. Therefore, it is important for the contract and the organisation’s internal policies to include details of how personal data breaches are escalated to the DPO. This process should be included in the DPO Contract to ensure that all parties are clear on the roles that they will play and how any disagreements in terms of reporting requirements will be documented.
Monitoring compliance: It is of paramount importance for the DPO to be able to monitor the organisation’s data processing activities whilst performing the role of an outsourced DPO. In order to meet such requirements, the contract should specify the nature and extent of any data protection audits that the DPO will carry out. Any agreed dates for data protection audits should be shared within the organisation to ensure that the DPO is provided with sufficient resource to undertake such audits and has access to processing equipment where necessary.
Reporting requirements: It will be important for the external DPO to ensure that they are able to escalate the state of compliance for data protection to management within the organisation. This is often harder for an outsourced DPO as they are not on-site every day; therefore, reporting requirements should be included in the DPO contract. This may include the preparation of board and senior management reports and/or attendance at senior steering group and other executive meetings where data protection matters are discussed.
Resources: Whilst organisations may think that by outsourcing the role of the DPO they absolve themselves from any liability in terms of providing resources and assistance, organisations will still be required to give the DPO access to individuals who can ensure that any policies and procedures relating to data processing are followed by the organisation. Additionally, depending on the size of the organisation, the DPO may require an internal team to support them in performing their role. Any provisions relating to such a team should be included in the contract.
For organisations who operate in several locations, and in some cases across jurisdictions, appointing an outsourced DPO raises the question of effectiveness across the group, especially if the local language in those jurisdictions is not the same. Ordinarily, multi-national organisations will usually appoint a “lead DPO” who will manage and oversee a team of local DPOs (or data protection champions) who are positioned in relevant jurisdictions.
It is possible that an internal team will need to be created to support the key tasks of the outsourced DPO. This is in most cases, the preferred and most practical option for organisations as individuals within the organisation will also be likely to possess detailed operational knowledge of the organisation. It will also be important for the organisation and the outsourced DPO to agree on the approach to appointing local translators to ensure that all relevant documents are provided in the data subjects local language. This is something which should be discussed, and the approach agreed in the contract.
As set out above, these are the key mandatory requirements for a DPO, however, organisations will also want to ensure that commercial terms are included to ensure that the services are delivered as per the contract.
- Price and scope: The price and scope of the services are key to ensure the parties understand the obligations on both of them to ensure the DPO can fulfil their tasks. Scope creep is something which occurs frequently with data protection advice, therefore clear instructions should be agreed in advance in writing. If additional advice is required outside the scope of the agreed DPO Contract, a mechanism should be included to enable additional work to be documented and agreed in advance.
- Term: As the role of an outsourced DPO is critical for the organisation and labour-intensive for the external DPO provider, both parties will want to ensure that they provide adequate notice to the other party if the services need to be terminated. It is therefore advisable for the initial term to be agreed and then periodic review periods set at appropriate intervals to ensure that the services are working for both parties.
- Service level agreements: The time period for responding to matters should be included in the contract to ensure that the organisation meets its regulatory requirements, especially in relation to personal data breaches and responding to individuals exercising data subjects’ rights.
- Liability: External DPO providers will want to ensure that appropriate liability caps are included in the contract to ensure that they are not exposed to unnecessary risk when performing the services. Any such liability should be proportionate to the services which are being provided by the external DPO provider and should take into account the risk posed by the nature and extent of the organisation’s data processing.
Each organisation will want to ensure that the level of support provided by the DPO is proportionate to the risk of processing. For some organisations, the level of DPO support services will be minimal, as organisations will have knowledgeable in-house teams who can provide support to the DPO under their direction. However, for some organisations, this is not possible and therefore the level of services and support required from the DPO will be more substantial.
In the latter case, the level of input required from the DPO is likely to diminish over time. If the DPO is effective, the implementation of appropriate training, policies and procedures should ensure that the business becomes more knowledgeable and confident of dealing with data protection issues on a day to day basis. It is therefore likely that the DPO role will stabilise as time goes on and the burden will lessen. The contract needs to allow sufficient flexibility to reflect the changing requirements of the organisation.
In our experience of acting for organisations as their formal DPO, it is apparent that a one-size-fits-all solution will not always be the best choice for organisations and, in turn, meet the requirements of the GDPR. The most important considerations will be a cultural fit and ensuring there is sufficient flexibility on both sides to enable the role to evolve as the organisation’s data protection compliance matures.