Having worked since 1998 in the field of data protection, the General Data Protection Regulation (GDPR) has, in my view, significantly increased the profile of those working with the legislation. This is assisted and reinforced by the legislation requiring the role of the Data Protection Officer (DPO) to have particular attributes and undertake certain tasks.
We have yet to see much case law that helps with how this part of the legislation should be interpreted although it is clear that organisations have taken different approaches towards the requirements for the role of the DPO and I am not sure that there is a legal basis for some that I have seen.
For this blog, I am going to start with Article 37(5) which sets out the requirements for those who are DPO:
‘The data protection officer shall be designated on the basis of professional qualities and in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to Article 39.’
Professional qualities and expert knowledge are not defined (and is something I am going to research further) although to me, it is clear that it is the person who is the DPO should possess these attributes.
What seems to have been implemented in practice in a number of organisations is the person who is given the title of DPO is someone fairly senior, perhaps someone already reporting into the most senior level of management. They sometimes have a working knowledge of data protection although in other cases, the person with the ‘expert knowledge of data protection law and practices’ has a more junior position within the organisation.
Therefore it is not the DPO with the necessary attributes but someone who presumably reports into the DPO in some capacity, whether that is by line or functional management reporting structures. I don’t see any issues with delegating or assigning tasks and responsibilities to others. In fact in some organisations compliance would be impossible to achieve without doing this effectively but can a personal attribute such as ‘expert knowledge’ be delegated or assigned to someone else? Using these types of approach the question perhaps becomes whether compliance with this part of the legislation can be achieved by looking at the skills and competencies within the organisation as a whole rather than a specific individual.
Having worked with a number of different legislation in the past that require a specific role to have skills and competencies, I am not aware of any precedents for delegating in this way although that is not to say there aren’t any and am going to look into this further. I also think that had the text in the earlier versions of the GDPR been retained (a requirement for a professional qualification rather than qualities), I am not sure it would have been so easy to have varying interpretations. The legislation has undoubtedly presented challenges to many organisations with the role having traditionally been considered more junior than would usually report into a board or highest level of management.
Can the law be interpreted in this way that means the professional qualities and expert knowledge are not held by the DPO? I don’t believe it can and don’t see any basis for the person possessing these attributes being a different person to the person designated as DPO. I also don’t believe that is what is intended by the legislation so definitely something to research further.