The role of the Data Protection Officer (DPO) and what requirements needs to meet has now been partially clarified by the Italian privacy authority.
I often define the role of the DPO as one of the most complex "rebus" of the European General Data Protection Regulation. The matter has been clarified in the past by guidelines of the Article 29 Working Party, but the guidelines still left some "gray areas" of unclarity. In order to deal with some of the open questions, the Italian privacy authority (the Garante) issued its first opinion on the matter, in response to a request from a company.
The position of the Italian privacy authority on the DPO
The "Garante" held that DPOs will need to have
"an in-depth knowledge of the privacy laws and practices, as well as the administrative rules and procedures that characterize the specific field of reference. In their selection, it will be appropriate to focus on individuals that can demonstrate professional qualities appropriate to the complexity of the task to be carried out, perhaps by documenting their experiences, participation in professional courses (especially if the level achieved is documented).".
But the more interesting content of the decision is that the Garante emphasized that the role of the data protection officer does not require that the holder of such position obtains any formal certificate of professional competence. These attestations, also issued following a test at the end of a training cycle, can be a useful tool for assessing an adequate level of knowledge of the discipline but are not, however, equivalent to a "title" to hold the role of the DPO.
The consequence of the above is that if it is possible to prove the professional competence of the DPO through other circumstances e.g. the performance of professional activities in the field during the previous years, no certification is required. However, if no such evidence can be provided, a certificate might help to validate his appointment.
But where shall the DPO be located?
The decision of the Italian privacy authority did not clarified the aspect that is more uncertain as to the role of the DPO. The main points of my view are the following:
- The DPO ideally shall report to a manager that has no operational role, but a role of internal control/audit with the possibility to submit in any case its recommendations to the board and to be judged on his career by the board;
- The DPO cannot be the sole supervisor of the privacy compliance of the company, but internal data processors shall be appointed in each department and these shall be individuals with an operational role rather than a strategic role;
- The DPO shall receive reports from internal data processors as to the proper processing of personal data in order to monitor the proper processing of personal data by the company and
- The internal procedures and policies of the company shall provide strict instructions to employees and contractors on how to process personal data.