GDPR and the Data Protection Officer

Updated: Apr 13


The Data Protection Officer, or most commonly referred to as DPO for short, is the main subject on the fourth section of the GDPR. In this article, we will be discussing what a DPO is and its designated role upon the implementation of GDPR.


Companies are now required to hire or have a Data Protection Officer in hand as it is now mandatory by the GDPR. Inside Article 37 of the regulation, these three anticipated scenarios are the reason for having DPO’s be mandated:

  1. THE PROCESSING IS CARRIED OUT BY A PUBLIC AUTHORITY OR BODY, EXCEPT FOR COURTS ACTING IN THEIR JUDICIAL CAPACITY;

  2. THE CORE ACTIVITIES OF THE CONTROLLER OR THE PROCESSOR CONSIST OF PROCESSING OPERATIONS WHICH, BY VIRTUE OF THEIR NATURE, THEIR SCOPE AND/OR THEIR PURPOSES, REQUIRE REGULAR AND SYSTEMATIC MONITORING OF DATA SUBJECTS ON A LARGE SCALE, OR

  3. THE CORE ACTIVITIES OF THE CONTROLLER OR THE PROCESSOR CONSIST OF PROCESSING ON A LARGE SCALE OF SPECIAL CATEGORIES OF DATA AND PERSONAL DATA RELATING TO CRIMINAL CONVICTIONS AND OFFENSES

T

he terminologies that are being used above however are vague and are not very clear. One main example for this is GDPR’s failure in properly defining public authority or body. But according to Article 29 Working Party (WP29), these should already be defined by the national laws. Core activities, on the other hand, refers to the activities that will be essential for the processor and/or controller to fulfil their goals and is a common phrase that recurs throughout the regulation.


Another term that has not been defined clearly is the term ‘Large Scale’ but WP29 is planning to offer a more in-depth description and guidance about this term soon. We are now left with what can be considered as “processing data on a large scale” for now like, processing the data of patients in a hospital or processing the data of telephone and/or internet service providers. Specific cases like an individual doctor’s processing of its patients’ data, however, are not on a large scale.


Now that we have defined that, let us now discuss the people who are qualified to be a “Data Protection Officer”. This specific question can be answered through Article 37 of GDPR.

Although the level of expertise of a DPO is not specified in the regulation, it does, however, require being of the same level to the complexity of the given job, the amount of data that will be processed within the organization and something along that line.


Another overlooked aspect of GDPR is the professional qualities of a DPO. Although it is already a given that to be a good DPO, one must be immersed with knowledge of national and European laws and understands GDPR thoroughly, a data protection officer should also be an expert in the business. It would also be ideal for a DPO to possess exemplary professional ethics.


According to Article 38 (3) of GDPR, DPOS cannot be penalized for performing their tasks should worse come to worst. Furthermore, they are only subjected to report to the highest level of authority and nothing less and are not obliged to receive instructions about the exercise of their tasks by any means.


With responsibility, It is also important for us to note that the job but also comes with risks. Given that security will be the main job of a data protection officer, risks are inevitable and The International Association of Privacy Professionals wrote an article about it.


One example of these risks is the fact that laws would differ from across the world, which could mean that. Hong Kong possesses one of the world’s most strict laws and a DPO may face a maximum of 5-year imprisonment depending on the level of non-compliance. These offences range from failure to ask for consent for direct marketing, third party data transfer without consent, to providing the commissioner false information and everything in between. In the Philippine’s and Singapore, DPOs can face some penalties where a data protection officer can be imprisoned for 6 months-7 years in the Philippines and 1-3 years in Singapore.


Unauthorized processing, access because of negligence and unauthorized disclosure are some of the violations that are punishable in the Philippines. Malaysia could also charge any cross-border restriction violation where penalties could reach up to 300,000 Malaysian Ringgit which is approximately $94,200 or up to two years of imprisonment.


In the United Kingdom, DPOs can be accused of criminal liability should they violate any of these mentioned statements:

“(A) [K]NEW OR OUGHT TO HAVE KNOWN (I)THAT THERE WAS A RISK THAT THE CONTRAVENTION WOULD OCCUR, AND (II) THAT SUCH A CONTRAVENTION WOULD BE OF A KIND LIKELY TO CAUSE SUBSTANTIAL DAMAGE OR SUBSTANTIAL DISTRESS, BUT (B) FAILED TO TAKE REASONABLE STEPS TO PREVENT THE CONTRAVENTION.”


In Ireland, a data protection officer would face criminal charges if they will be consenting, in connivance, or contribute to the negligence of a company with the compliance. UK and Ireland both have fines for these statutory damages but do not have any imprisonment sentences.

Scary is the perfect word to describe the risks of incoming data protection officers as they need to have a bird’s eye view of everything data security-related for them to avoid criminal charges. Insurance policies should be present to help alleviate and maybe even avoid these risks especially when it comes to civil liabilities. Unfortunately for DPOs, insurance policies do not cover criminal liabilities so one must be very vigilant and mindful when hired.


To sum up the foregoing, as challenging and as risky as a data protection officer’s job may be, it is most definitely significant. Despite the potential threats and danger that the job instils, this can be avoided when a person does their job with integrity and has an outlook for the greater good of everybody. Insurance policies should also not be neglected for this will be the saving grace of DPOs everywhere from countries with great fines.

Join our mailing list

© 2018 - 2020 GDPR Community Ltd

  • Facebook
  • Twitter
  • Instagram