SuperDPO

06/10/2016

Data protection professionals are in luck: we have seen the birth of our new messiah, the European Regulation 2016/679 on Data Protection (RGPD for friends).

Far from covering in this post the novelties that this new regulation brings (which are not few...), we will focus on bringing you closer to a figure that we will soon all hear about in the business world, and that is developed in the aforementioned regulations: Data Protection Officer.

What is it, who is it, what does it do, why…

The Data Protection Officer, DPO or Delegate of Data Protection , is defined in the GDPR as the internal figure of the company (with the character of an independent figure and without hierarchical subordination , except to senior management, before which it must report directly on their work) or externally, within the framework of a service contract; which will have to supervise, inform and advise the company and the employees that process personal data, of the obligations that this new regulation imposes, as well as other provisions and complementary laws.

Of course, he must be appointed taking into account his professional qualities and, in particular, his specialized knowledge of Law and practice in the field of data protection . What does this mean? Well, not everyone can be DPO...

The DPO becomes a regulated professional, with a status within the organization, an independent figure who performs his duties and who is heard in the organization (spoiler: the sanctions for non-compliance with the GDPR increase significantly, and can be up to €20,000,000 or 4% of the company's annual turnover, whichever is greater).

Article 29 lists the functions that this new figure will have (literal reproduction):

  • Inform and advise the person in charge or the person in charge of the treatment and the employees who deal with the treatment of the obligations incumbent on them under this Regulation and other data protection provisions of the Union or of the Member States.

 

  • Supervise compliance with the provisions of this Regulation, with other data protection provisions of the Union or of the Member States and with the policies of the person in charge or the person in charge of the treatment regarding the protection of personal data, including the assignment of responsibilities , the awareness and training of personnel participating in treatment operations, and the corresponding audits.

 

  • Offer the advice that is requested about the impact assessment related to data protection and supervise its application in accordance with article 35.

 

  • Cooperate with the control authority .

 

  • Act as the contact point of the control authority for issues related to treatment, including the prior consultation referred to in article 36, and make consultations, where appropriate, on any other matter.

 

Sounds like something to you, right? The DPO becomes what is known today as a Data Protection Advisor. The difference is that now that figure is regulated, any adviser is no longer valid. If your company wants to have a DPO, it must have some specific characteristics.

Ok, but do all companies have to have a DPO? No, it is mandatory to have a DPO when :

  • The treatment is carried out by a public authority or body , except the courts that act in the exercise of their judicial function.

 

  • The main activities of the controller or processor consist of processing operations that, due to their nature, scope and/or purposes, require regular and systematic observation of interested parties on a large scale .

 

  • The main activities of the controller or processor consist of large-scale processing of special categories of personal data pursuant to Article 9 and data relating to criminal convictions and offenses referred to in Article 10.


However, it is recommended that large companies, those that process data continuously, that have several establishments, groups of companies, etc. have a DPO that centralizes the functions related to data protection, making it more effective, in a way that allows greater control over the data in the organization . To act proactively and preventively , which will make it possible to anticipate situations that compromise data security, as well as maintain an efficient alert system and, consequently, react promptly and effectively to any type of claim, incident or potentially adverse situation. , avoiding bad practices that can tarnish the image of the company.

It must be clear that addressing the management of personal data from a specialized legal-technical perspective will not only provide security in the face of the possible appearance of complaints and sanctioning processes, but will also allow companies to obtain internal tools and procedures that will improve efficiency in data management (updated and accurate inventories of the computer system, specific action protocols for specific actions, specification of tasks and responsibility in data management, elimination of superfluous and out-of-date documentation, recording and analysis of incidents, etc.) .

With regard to the client, the figure of the DPO also offers an image of greater professionalism, security and trust , both for the quality and clarity of the information that will be provided when collecting their data, and for the security of having efficient claim mechanisms. about.

By having this figure, the internal staff who have been designated to coordinate the adaptation actions to the LOPD and LSSICE that are currently being carried out (or that should be being carried out) will be relieved of their work, limiting their participation to what is strictly related to their work, thereby reducing administrative burdens that hinder the development of the usual work of the different departments.

 

As a slogan we can conclude that:

Do not gamble, if your organization has a complex structure, have a DPO in your company.

 

Another day we will continue breaking down other aspects that are regulated in this new regulation...




Idaira Hernandez Peraza

Director of Consultants Peraza & Asociados, SL



Photo source: Google Images tagged for reuse