Privacy & Cybersecurity Law Blog

On January 25, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted formal comments to the Article 29 Working Party’s (“Working Party’s”) Guidelines on Data Protection Officers (DPOs) (“DPO Guidelines”) that were adopted on December 13, 2016. CIPL’s comments follow its November 2016 white paper on Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation, which CIPL submitted as formal initial input to the Working Party’s development of DPO implementation guidance under the EU General Data Protection Regulation (“GDPR”).

CIPL’s comments on the DPO Guidelines highlight the importance of treating the DPO Guidelines, and other guidance the Working Party issues about the GDPR, as “living documents” subject to amendment and further clarification based on evolving experience.

CIPL’s comments also emphasize several key issues that it believes were insufficiently addressed by the DPO Guidelines, including:

• the DPO’s role as a strategic advisor and enabler of effective use of personal data;
• the DPO’s seniority and how this relates to reporting to the “highest management level”;
• whether reporting to the highest level of management should be interpreted pragmatically and flexibly to encompass “true” reporting lines; and
• limitations on the DPO’s cooperation and consultation with the Data Protection Authorities caused by competing DPO obligations.

Additionally, CIPL’s comments address specific issues raised by the DPO Guidelines, including:

• “core” and “ancillary” activities;
• “regular and systematic monitoring”;
• processor DPOs;
• the scope of processing activities covered by a DPO;
• the DPO’s accessibility and reliance on a DPO team to perform DPO tasks;
• secrecy and confidentiality;
• the DPO’s level of expertise and professional qualifications;
• the DPO’s involvement in “all” data protection issues;
• instructing the DPO and DPO independence;
• the DPO as data strategist and, in the SME context, as ISO or CIO; and
• recordkeeping.

CIPL’s comments were developed based on input by the private sector participants in CIPL’s ongoing GDPR Implementation Project, which includes more than 85 individual private sector organizations. CIPL also will comment on the Working Party guidelines on data portability and Lead Supervisory Authority under the GDPR, as well as continue to provide formal input about other GDPR topics the Working Party prioritizes.