The DPD and its important work
The DPD and its important work
The DPD or Data Protection Delegate is already a figure known to all of us since the RGPD arrived in 2016 and in a more regulated way with the entry into force of the LOPD-GDD, although today, the DPD needs more attention from us, for being truly important for any organization and key piece to comply with the obligations in terms of data protection.
The establishment of this figure might seem simple, since the LOPD-GDD indicates in which cases its presence is mandatory, the possibility of appointing a DPD on a voluntary basis, as well as the requirements that the person who performs its functions must meet, and the actions that can be carried out.
However, all that glitters is not gold, nor is everything as easy to do as the law states.
European Report on the State of the DPOs
The European Data Protection Board(EDPB), in a recent report, analyzed the designation and situation of DPOs in public and private entities at the European level, the main objective of this analysis being to promote best practices, deficiencies and issue recommendations to strengthen this figure.
The points of attention on which the analysis of the figure of the DPD is carried out are the following:
Absence of appointment of the DPO even though it is mandatory:
Article 37.1 RGPD and 34.1 and 2 of the LOPD-GDD determine which entities must appoint a DPD on a mandatory basis, therefore, the first thing is that all entities analyze whether they have this obligation, as well as the possibility of appointing the DPD on a voluntary basis, derived from the importance of the recognition of its value as a mediator between companies, employees, customers and especially with AEPD and other regional supervisory authorities.
Insufficient resources allocated to the work performed by the DPDs:
One of the characteristics of the DPD is its independence when performing its functions, so that its work is transparent, so that the resources assigned to it must be sufficient to be able to act independently and with capacity depending on the characteristics of each company.
This capacity to be able to perform its functions correctly must be analyzed whether the DPD is internal or external, investigating that whoever offers the DPD services has sufficient time and personnel to do so.
Specialized knowledge to perform the DPD function:
Article 37.5 of the RGPD and Article 35 LOPD-GDD determine the professional characteristics and experience that the DPD (natural or legal person) must have in order to perform his or her functions (art. 39 of the RGPD).
Logically, this figure corresponds to a specialized function in the field of data protection, so whoever holds this position, whether internal or external, must have a broad knowledge of data protection regulations.
Assignment of functions to the Delegate:
Article 39 of the GDPR indicates the minimum functions to be performed by a DPO, but it has been detected that not all the functions that correspond to him by law are always assigned to him, thus minimizing his potential and the possibility of acting for the benefit of the company.
Conflicts of interest and independence of the DPD:
In accordance with article 38.3 RGPD and 36.2 of the LOPD-GDD, if there is any reason why the delegate will not be able to act independently or with the desired transparency and autonomy, the appointment of another person to occupy the position should be analyzed, since it is essential that the DPD can perform his functions freely and without coercion from managers or senior management, in order to fulfill the objective of his appointment.
Inadequate or lack of reporting by the DPD to management:
Just as independence is crucial for a good performance of the functions assigned to the DPD , it is also crucial that managers or senior managers are informed of the level of compliance with data protection obligations in their company, in addition to reporting any other circumstance related to data protection.
More information for control authorities:
The supervisory authorities (AEPD in the case of Spain) must be permanently informed of how this figure is working in order to generate actions that help to empower it and demonstrate its importance.
Report results
In view of this situation, the AEPD, which has participated in this initiative coordinated by the European Data Protection Committee, analyzed the data of more than 10,000 entities, both in the public and private sectors, the sectors analyzed in the latter being those corresponding to education, banking and financial institutions, health, energy, security, telecommunications services, solvency and credit, and activities related to gambling and betting.
From this analysis, the AEPD revealed the following data:
First
86% of the entities hire external DPOs , but it would be necessary to investigate in each case whether the DPO properly meets the needs of all their clients, and could fall into the error of appointing the delegate only to cover the legal requirement and not so much to generate a firm commitment to respect and guarantee the personal data.
Second
Fifty-eight percent of the respondents reflect the appointment of the DPD as permanent, the rest being variable, which coincides with the appointment of the external DPD .
Third
Regarding the allocation of resources to the DPD , the results of the survey were positive.
Fourth
The DPD must be more involved in data protection issues in the actual performance of his or her duties, a circumstance that may depend on the assignment of tasks by managers most of the time.
Conclusions
The DPD is an important figure that must be given the relevance that the law itself grants him, as he is a fundamental support for companies and workers in the fulfillment of their obligations in data protection matters.
This is the reason why it is necessary to raise awareness among data controllers, as well as data processors, that this figure is present as a collaborator and support in the fulfillment of obligations, but also becomes the necessary link with the control authorities for the management of claims or other issues that favor any entity.
Business Adapter® at your service
If you need a DPD , contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:
[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]