Monitoring tasks of data protection officers 

The General Data Protection Regulation (GDPR) has fundamentally changed the organization of companies and public authorities. The new data protection regulations significantly impact companies’ internal and external processes and structures.

In particular, data protection officers are much more delimited from other bodies than before. For example, internal data protection officers previously also performed operational tasks for private companies. Since the GDPR came into force, they have retained an advisory and monitoring function.

The most important facts at a glance

• Data protection officers perform advisory and monitoring activities. In other words, as independent bodies, they interface between the company or authority and the responsible supervisory authority. They are not (or no longer) operationally active.
• To carry out their monitoring tasks, data protection officers depend on being granted the necessary powers by their employers or clients.
• Various monitoring instruments are available for monitoring activities, to use in a risk-oriented
• In addition, the organizational framework conditions such as guidelines, policies, and monitoring concepts must be developed.

GDPR: What has changed for data protection officers?

The data protection officer is an objective observer and not an acting member in companies and authorities. Instead, companies themselves are responsible for ensuring that data protection is implemented practically within the company or authority.

This is controlled and monitored by the internal or external data protection officers. They have various instruments at their disposal, ensuring compliance with data protection regulations. It does not matter whether the data protection officers are internal or external.

In smaller companies, an in-house data protection officer costs much money, which is why an external data protection officer is often hired here. Official data protection officers perform the same activities as company data protection officers.

What are the duties of data privacy officers?

Data privacy officers have a variety of tasks, which may differ depending on the size and orientation of the company. The activity of a data protection officer serves to self-monitor and improve data protection in processing personal data within a company. To this end, data protection officers act in both an advisory and a supervisory capacity.

The areas of responsibility fall into two broad categories: Advisory and monitoring tasks, which we describe in more detail below.

Advisory tasks of data protection officers

• Informing and advising data controllers and employees regarding their obligations under the data protection law
• Contact person for data subjects and process establishment for dealing with data protection mishaps
• Support in the preparation of data protection declarations, concepts, and guidelines
• Support in carrying out data protection impact assessments

Monitoring tasks of data protection officers

• Compliance with data protection obligations under the GDPR
• Review of the implementation of established strategies
• Cooperation with the competent supervisory authority
• Review of processing records
• Employee checks regarding compliance with the guidelines

We talk about the general tasks of responsibility of external and internal data protection officers in more detail in this article.

The role of the data protection officer in the company

The basic idea of the GDPR regarding company data protection officers is its monitoring function of it. The data protection officer is supposed to be a person or body in companies or public authorities who do not assume responsibility for operational tasks but are only objective observers.

This also serves to avoid conflicts of interest and maintain data protection officers’ objectivity and independence. Otherwise, data protection officers would also monitor themselves, which would be detrimental to effective monitoring.

Of course, data protection officers can also take on their role only part-time and spend the other part of their employment performing normal employee activities. However, care must be taken to ensure that there is no conflict of interest between the two activities in such constellations.

Therefore, data protection officers should not hold executive positions or other supervisory offices (such as money laundering officers, confidentiality officers, etc.).

In addition to data protection supervisory authorities, data protection officers are the most important bodies under the GDPR for monitoring data protection policies within companies and public entities. To effectively exercise the monitoring tasks, various monitoring tools are available. These include:

• Data protection controls in processes
• Data protection audits
• Evaluation of reports and statistics
• Certifications

A prerequisite for the effective work of company data privacy officers is the establishment of these monitoring instruments in the company or authority. Implementing these instruments is the responsibility of the company or authority management, not of the data protection officer. Data protection officers are therefore dependent on being granted the necessary powers.

However, it is also beneficial for the responsible body to ensure effective monitoring to prevent the risk of data privacy violations and the associated reprisals and claims for damages by the responsible supervisory authorities and data subjects.

Data protection controls

Data privacy controls must be integrated into the corporate organization to ensure consistent monitoring. These include preventive controls of existing processes and procedures and detective controls to clarify data privacy violations. It is irrelevant whether the controls are manual or automated, usually integrated into the used software. The subjects of the various data privacy controls are data privacy, data protection, and data security. The objects of the different data protection controls are:

• Checking user authorizations for up-to-dateness
• Effectiveness and efficiency of processes
• Up-to-dateness of the records
• Review of technical and organizational measures
• Approval and establishment of user authorizations and concrete specifications in this regard
• Involvement of the data protection officer in changes to and the introduction of new data processing processes
• Threshold analyses for data protection impact assessment

Since data privacy officers always act in a risk-oriented manner, data privacy controls serve to implement data privacy guidelines and prevent process-related risks to the company.

For the most part, checks are not carried out by data protection officers themselves but rather by the senior management of the responsible departments or by individual, operationally active employees. However, the results or anomalies must be coordinated and analyzed with the data protection officers to take new precautions constantly or improve the processes.

Implementing data protection controls is necessary in all respects to control all processes and prevent data protection mishaps. After all, these represent a not inconsiderable financial risk for the company.

In plain language, the aim is to avoid errors or to identify them early, report them, and eliminate them. At the same time, organizational measures are tested for their effectiveness.

This implementation takes place in the following 4 steps:

1. identification of risks in the individual processes
2. definition and controls for risk coverage
3. implementation of controls in the individual processes
4. conduction and documentation of the controls

Data privacy audits

A data privacy audit or data protection review analyzes an organizational unit, an individual process, individual documents, or data within the company. The purpose is to review security, efficiency, effectiveness, and compliance and to identify errors, assessments, or opportunities for improvement.

The GDPR does not contain a legal obligation to conduct audits, but it requires data protection officers to review the organization in any case. Although data protection audits are commissioned by the responsible bodies, the planning and implementation are the data protection officer’s responsibility as a monitoring body or independent third parties to avoid conflicts of interest. In medium-sized and large companies, it may be advisable to outsource data privacy audits. Data privacy officers then have the task of monitoring proper conducting.

This is always done in a risk-oriented manner with a view to the company and the data subjects. Processes that involve an exceptionally high risk of data privacy violations or the risk of grave breaches must be checked most strictly and frequently, and due account must be taken of the associated risk. The effectiveness and efficiency of the data protection organization should be reviewed regularly, but at least annually. The proper implementation of legal requirements in processes should also be scheduled on a risk-oriented basis, at least annually. In addition, there is the analysis of acute data protection incidents, which of course, cannot be performed preventively or on a scheduled basis but only on an ad hoc basis.

Certification

In addition to approvals by the responsible supervisory authority, companies can also protect themselves through so-called certifications. In this case, the internal concepts and rules of conduct are checked and monitored by independent, external bodies. In this respect, certifications are comparable with data protection audits. However, once the audit is completed, the company receives a certificate confirming the positive outcome.

Certification systems have been established for a long time. The best known in Germany are the DIN standards and ISO standards at the international level. However, the GDPR does not provide for any of these systems but establishes its own within Art. 4, 42 GDPR. The supervisory authorities must first approve the standards based on the interests of the data subjects, not those of the companies.

Due to the short time since the entry into force of the GDPR 2018, the offer for certifications in Germany is still minimal. As a result, these are not yet suitable instruments within the monitoring concept. Existing certifications can be used, but not too much value should be placed on them when creating a proper data protection strategy.

Other monitoring tools

In addition to controls and audits, other instruments can be used to monitor data privacy. First, reports on information security and IT audits should be made available to data protection officers to check for information and processes relevant to data protection.

In addition, data protection officers can conduct self-assessment surveys of senior management in companies and public authorities regarding compliance with data protection regulations and ask them about potential for improvement and deficiencies.

The employees involved can also be asked about existing processes and suggestions for improvement. It is also advisable to set up a procedure whereby the involved employees can contact the data protection officers confidentially and report violations or incidents.

The analysis of data-related reports and statistics from risk, complaint, and information security management can also provide relevant insights into the company’s data protection status.

Organization and framework conditions

To consistently comply with data protection, a framework of implementation must be established. Particularly in larger companies, every employee who has anything to do with personal data must be adequately informed about the rights and obligations and the procedures to be followed. These should therefore be documented, for example, in internal rulebooks such as data protection guidelines and policies. These form the basis for all further regulations and the establishment of a data protection concept. They, therefore, provide orientation for all employees and additional rules.

Data privacy guidelines can include the following regulations, for example:

• Corporate goals about data privacy
• Management’s commitment to data privacy
• Structure of the guidelines
• Responsibilities and accountabilities
• Binding nature of the data privacy guidelines
• Awareness and training
• Technical implementation of data protection guidelines and accountability
• Organization of data privacy audits

Policies should be created based on the guidelines to concretize them and establish appropriate regulations. Such a data protection policy must regulate at least the following contents:

• Introduction or modification of data processing in the company
• Data protection impact assessment
• Record of processing activities
• Transparency, data subject rights, information
• Security of automated processing
• Commissioned processing
• Data protection incidents
• Data protection officer
• Information and training
• Responsibilities
• Process description
• Monitoring tools
• Ensuring continuous improvement

In addition, regulations on the data protection management system, data protection controls, data protection audits, etc., can be made. In particular, the rules on data protection officers should be discussed in more detail:

Here, it is essential to specify their rights and duties in task assignments, delegated competences or powers, and, if applicable, professional qualifications. These include, in particular, regulations on:

• The clear obligation to appoint and document the data protection officer and to notify the supervisory authority.
• The specific tasks and position of the data protection officer and communication of these
• The provision of sufficient resources for the performance of their activities, in particular time, financial resources, authority, and further training
• Sufficient information opportunities for the data protection officer and involvement in processes
• The data protection officer’s duty of confidentiality
• The data protection officer’s freedom from instructions and exemption from conflicts of interest

Monitoring concepts

Furthermore, the monitoring organization should be clearly defined and regulated in detail in a monitoring concept. This should include the company’s processes relevant to data protection and the instruments intended for monitoring. In this respect, the monitoring concept should also have different approaches to monitoring, which can complement each other and contribute to an optimal concept.

Continuous and uninterrupted monitoring: The monitoring instruments should be used permanently and in the entirety of the processes, systems, and projects. 

Risk-oriented monitoring: It is most important for the company that the riskiest processes are monitored most strictly to prevent financial damage and damage to its reputation. Therefore, it is necessary to filter which processes pose the greatest risk to data protection subjects and responsible parties and prioritize the approach accordingly.

Event-oriented monitoring: in addition to regular and usually preventive monitoring, analyses of acute events must be prioritized, especially in the case of data privacy impact assessments and data privacy incidents or breaches.

Responsibilities: also important is the assignment of responsibilities and accountability to ensure seamless monitoring.

Conclusion

It is not the data protection officers alone but all of a company’s corporate bodies that are obligated to protect data. Data protection officers assume only an organizational, advisory, and, above all, monitoring function.

In addition to advising the person responsible for establishing and implementing data protection requirements and informing and counseling employees, the organizational and monitoring tasks within the company are the day-to-day business of data protection officers.

Data privacy officers play a significant role in designing data privacy controls and their subsequent review. They are also called upon to plan and subsequently monitor audits and create the organizational framework within the company. In this context, they also bear responsibility for creating monitoring concepts.

Please note: The information listed may no longer be up to date due to the rapid development of the digital age and changing laws and case law. The information in the work by Ralf Herweg and Thomas Müthlein “Die Überwachungsaufgabe des Datenschutzbeauftragten nach DS-GVO”, 1st edition 2020 was used for research.