Since the introduction of the General Data Protection Regulation (GDPR), the organizational structure of companies and public authorities has changed fundamentally regarding their protection of personal data. For example, the GDPR more clearly delineates the tasks of the individual bodies, and data protection officers have become more important. The protection of data of natural persons is in the foreground.
But what are the tasks of data protection officers? How can companies ensure that such tasks meet the requirements of the GDPR? In this article, we answer the most important questions about the topic.
Before the restructuring of the GDPR, data protection officers were also responsible for operational tasks; since the reorganization, they’ve only had the job of supporting the responsible bodies in their data protection tasks. On the other hand, the responsible bodies have to ensure that data protection is effectively implemented, demonstrably organized, and sufficiently monitored.
Although according to the GDPR, there is no legal obligation to name a data protection officer in most cases, it can make much sense to seek external support in the performance of data protection requirements. Each company must decide whether it needs an external or an in-house data protection officer for this purpose. In another article, we listed the advantages and disadvantages of both options.
The company or authority must also function and be effectively monitored without a data protection officer. Data protection officers can act as a “small supervisory authority” and assume an advisory role within the company or authority. Their task is to develop and implement monitoring concepts with the responsible body.
Most companies and public authorities are affected by challenges concerning data protection. In the digital age, automated processing of personal data occurs in almost every company. The resulting data protection obligations are the starting point for the GDPR: The aim is to ensure that all companies comply with data protection laws and responsibly handle the data of natural persons.
Thus, responsible entities must prove that they comply with the legal requirements (so-called accountability). Companies and public authorities must know their rights and obligations and organize their operations in such a way that they meet the requirements. If they fail, this is known as organizational culpability, for which they may be liable and subject to expensive sanctions.
The company’s obligations include developing a data protection concept, properly instructing suitable employees, and carrying out internal controls for data protection. Here data protection officers come in: As internal contacts, they are entrusted with monitoring compliance with the GDPR and helping the responsible bodies minimize liability risk.
In addition to the data protection officer as an internal monitoring body, there are external monitoring bodies that directly or indirectly monitor government bodies:
Data protection officers have two core areas: Advising and monitoring.
It follows that they first provide advice on the implementation of the GDPR and then review and monitor the implementation and effectiveness of data protection.
Internal and external data protection officers advise the responsible bodies and support them in implementing data protection regulations within the company. To this end, they can propose strategies and organizational measures. They also support the management of their company in solving specific problems:
Data protection officers are contact persons inside and outside the company: they advise employers, employees involved, and, if applicable, the works council, their customers, suppliers, and contractual partners.
In an advisory capacity, data privacy officers assist the works council. In this case, it is not uncommon to hold mediation talks between the employer and the works council, so that not only expertise but also tact and negotiation skills are required. In most cases, data privacy officers have to act as neutral mediators.
They also work closely with the supervisory authority. Here, data protection officers form an interface between the company and the authority and work closely with both sides to implement data protection requirements. If the supervisory authority has data protection-related questions for the company, it usually contacts the data protection officer directly as an expert.
Data protection officers inform the persons responsible and the employees involved in the processing operations about their obligations under data protection law. In addition, data protection officers advise the responsible parties on the provisions of data protection law and how these can be integrated into the operational process. To this end, they can propose concrete strategies and organizational measures.
As experts in data protection regulations, data protection officers assist in creating legal documents in this area. These include policies, agreements, Internet usage, or guidelines on how to deal with data subject inquiries.
For this purpose, the data protection officer is involved in clarifying the necessity or processing-related issues on how to proceed. In some cases, this is also necessary after prior consultation with the supervisory authority, which data protection officers assume.
For example, data protection breaches usually must be reported within 72h. This very short deadline assumes that adequate processes are in place to enable any employee to identify a data protection breach and take the following steps. The one-month deadline for processing data subject inquiries also requires an established structure and organization.
To this end, data protection officers must support their employers in developing and establishing such processes and guidelines.
Data privacy officers are also responsible for advising on preparing data privacy statements and data privacy documentation. Data protection documentation, in particular, is essential to fulfilling the company’s duty of accountability.
One of the tasks of data protection officers is to check whether the employees in the responsible offices have received further training. Contrary to frequent expectations, employee training is generally the employer’s responsibility. However, data protection officers are responsible for monitoring it and checking it for compliance. They are therefore an integral part of data protection training courses for employees to ensure that they all are familiar with the requirements of data protection and implement them in their daily work.
Providing training by data privacy officers not only ensures the necessary legal certainty concerning the content. They also have a psychological effect: employees get to know the data privacy officer as an expert in their field and get in touch with them personally. This lowers the inhibition threshold to ask them questions and approach them with problems in their everyday work.
The data privacy officers also provide regular information about innovations and potential for improvement, for example, in a newsletter or circular note.
For certain categories of data, companies and authorities must carry out a data protection impact assessment. This involves the data protection officer clarifying the necessity or processing-related questions about the procedure. In some cases, this is also necessary after prior consultation with the supervisory authority, which data protection officers undertake.
Data protection officers monitor compliance with data protection guidelines as the interface between the company and the supervisory authority. They monitor:
Data controllers are required to create a record of processing activities; This is particularly easy and efficient with the Priverion data protection platform. Data protection officers provide advice and check the record for completeness and consistency.
It is important that data privacy officers serve the company’s or authority’s self-monitoring function, i.e., they also draw attention to grievances and misconduct. This can be unpleasant for the management of the company or authority.
To ensure adequate control, however, data protection officers are always free from instructions in the performance of their duties, i.e., the persons in charge have no influence on their actions and grant them freedom in their decisions and activities.
For data protection officers to properly perform their duties, they rely on the support of their employer. The GDPR requires responsible entities to provide the necessary resources to enable data protection officers to do their job.
In particular, the following powers are to be granted by the responsible parties:
At the same time, it also clarifies who is responsible in the event of a deficiency:
At the same time, data protection officers must consistently perform the above tasks in their employer’s interests. The central mission is, therefore, to work in a risk-oriented manner.
That means they should not only keep an eye on the risk associated with the processing operations on the side of the affected person but must also include the risk to the company in the event of a legal violation.
In practice, this means taking a selective and pragmatic approach to fulfilling one’s duties, constantly assessing the most significant risks to data subjects and controllers, and prioritizing one’s activities accordingly.
In contrast, data protection officers must not neglect any tasks or measures simply because they pose a comparatively low risk. For data protection officers, this can result in a complex balancing of the tasks they have to perform, which requires a certain amount of tact.
As an in-house or external data protection officer, you have many tasks to organize daily. Your guiding principle is always to comply with all data protection regulations.
You are the person with the best knowledge of data protection in your company or authority, and you provide advice and support to employees, superiors, and external parties. As a result, the job is anything but boring and requires professionalism and sensitivity in dealing with your fellow employees.
Balancing compliance with data protection regulations and prioritizing the employer’s interests can be challenging. You need always weigh the risks to your employer and the data subject. The fields with the highest risks must be prioritized accordingly without forgetting the less risky areas in the stressful daily routine.
The true art of a data privacy officer is not to lose sight of the big picture amidst all these demands and to meet all obligations. The advantages that the Priverion data protection platform brings are therefore highly valued.
Reading tip: In this article, we take a closer look at the individual monitoring tools of the data protection officer.