Is it a good idea to appoint an internal DPO?
Appointing an internal DPO: does he/she have the recommended skills?
March 11, 2022
The European Data Protection Board published its first opinion regarding certification schemes, responding to a submission from Luxembourg’s National Commission for Data Protection on its EU GDPR Certified Assurance Report-based Processing Activities. In his opinion, the board underlined the importance of the DPO’s skills.
The DPO qualification following the Opinion 1/2022on the draft decision of the Luxembourg Supervisory Authority regarding the GDPR – CARPA certification criteria.
The General Data Protection Regulation (GDPR) has established the concept of a Data Protection Officer (DPO) in Europe. DPOs are independent data protection experts who are responsible for monitoring an organisation’s compliance, informing it of, and advising on its data protection obligations, and acting as a contact point for data subjects and the relevant supervisory authority. Organisations must assess whether they need to appoint one and, if so, who they should give that responsibility to. There are some legal requirements that must be met, such as avoiding conflicts of interest, which can prove challenging.
The opinion 1/2022 on the draft decision of the Luxembourg Supervisory Authority regarding the GDPR-CARPA certification criteria, adopted by the European Data Protection Board (EDPB) on February 1, 2022, outlines, among other things, the obligations applicable to controllers and processors.
The board of the EDPB underlined the importance of the DPO’s skills. Indeed, the Luxembourg Supervisory Authority suggested two criteria to evaluate the qualification of the DPO if he/she does not have a minimum of three years of professional experience:
- (i) The DPO must have two years of legal experience and have undergone extensive training on data protection; or
- (ii) The DPO has access to in-house legal assistance, or via an open-ended service contract with an external firm, covering all GDPR topics.
According to the EDPB, this second requirement should not be used alone in assessing the qualification of the DPO. The Board mentions that the DPO should not be considered qualified only because he/she ” has access to legal assistance internally, or via a non-limiting service contract with an external firm, covering all GDPR subjects“.
This criterion could be an additional condition for assessing the DPO’s competencies, but not a stand-alone, exclusive requirement. Since GDPR compliance within an organization relies heavily on the work and regular expertise of a DPO, it is paramount that this position be assigned to someone with the appropriate expertise. However, the required data protection training must be recent and up to date.
Does the situation seem complex and you are not sure of what to do?
You feel that this is too many skills for one person?
Indeed. This is really hard to find a person combining all the recommended skills. This is why at MyData-TRUST, our main strength is our multidisciplinary team, composed of Data Protection Officers (DPO) specialized in the healthcare sector, lawyers specialized in data protection and privacy and cybersecurity experts, highly trained in data protection and privacy. Our DPOs are certified by the Maastricht University, after following a 6-month intense training, and work very closely with our legal and IT teams.
When appointing your external DPO at MyData-TRUST, you have only one point of contact; your DPO, and behind this person is a team of experts delighted to support you at best.
If you are an organization operating in the Health sector looking for advice or additional information on this subject, contact MyData-TRUST. We will be pleased to assist you.