DPO, what are you going to do with it? Quality title for the DPO: the Register DPO

DPO, what are you going to do with it? Quality title for the DPO: the Register DPO

Articles, Blogs

By:Caroline Willemse with contributions from participants of the Ethics working group.

Quality assurance of the Data Protection Officer, who holds a social function

The UN Rapporteur on the right to privacy already reported at the end of 2017 that more data has been collected in the past 2 years than in all previous years in history. There is a lot of ‘potential‘ in data and the government and the business community are responding to this. Governments are increasingly making use of opportunities to exchange personal data, such as the use of travel data from the public transport chip card to detect fraud and the blacklist that was accessible to thousands of employees of various parts of the Tax Authorities. We have no idea how much influence the web and its algorithms have on us and our search behaviour. Presumably, our choices are influenced, including our voting behavior in elections.

To protect our personal data and the associated privacy, the EU has introduced the General Data Protection Regulation (GDPR). This regulation makes it mandatory for governments and certain private organizations to appoint a data protection officer (DPO). A DPO is an internal supervisor in organizations. The role of internal supervisor is (inherently) complex and comparable to that of other supervisors, such as the controller or accountant.

For example, the advice of the DPO is required for the approval of the annual accounts. There can be a lot of pressure on the DPO to give rosy advice. The big question is therefore whether the DPO succeeds in making an impact in organizations. This will partly depend on the knowledge and skills of the DPO.

What knowledge and skills are expected from a DPO?

The European supervisor indicates that the DPO must be carefully selected. With regard to professional qualities, the European supervisor sets the following requirements:

  • have expertise in the relevant legislation and regulations;
  • knowledge of the industry and organization of the company for which he is appointed;
  • insight into the data processing operations carried out, the information systems and the needs of the controller in the field of data security and data protection;
  • knowledge of the administrative rules and procedures of the organization.

The requirements that a DPO must meet are formulated in general terms. This leaves a lot of room for your own interpretation.[1]

Furthermore, there is no testing at all as to whether the DPO actually complies with this. The GDPR only obliges to provide the contact details of the DPO to the Dutch supervisory authority, the Dutch Data Protection Authority (AP). After the notification you are FG.

For example, government bodies, financial institutions, insurers, hospitals and mental healthcare institutions can count on a fine if they have not demonstrably appointed a DPO. The increased demand for DPOs has led to a proliferation of “experts” in the field of privacy regulation. Many organizations fail to separate the wheat from the chaff.

Appointing an (incompetent) DPO in many cases entails liability risks for the management of the organization. In that case, the Dutch DPA can only conclude that the organization does not comply with the law. Fines that can be imposed on the basis of the AVG are so high that the survival of the organization may be endangered.

It is important to know that DPOs enjoy dismissal protection. It is not the intention that the board of an organization can answer a critical judgment of a DPO with a dismissal.

But how does a company or institution know whether the DPO is an expert and skilled person? And how does the DPO know whether he has sufficient knowledge and skills? DPO training varies from a short course of a few days to months or years of studies.

To guarantee the quality of the DPO, we don’t have to reinvent the wheel. There are several professions that are similar, such as accountants. They are broadly educated and after completing their education they can register as RA or AA in the accountants register. Those who are registered have sufficient knowledge of the profession. The applicable codes of conduct and professional rules stand for an ethically responsible and professional attitude. For example, an accountant cannot accept an assignment without sufficient substantive or sector-specific knowledge. The professional rules enforce that the accountant ‘keeps his back straight’ regardless of the situation in which he finds himself. This aims to prevent unethical behaviour. In addition, there is a possibility to sue the accountant before a disciplinary court if a third party believes that the accountant has violated the rules of conduct and professional rules. These rules apply to all registered accountants, whether or not they hold the position of accountant.

An employer or client who wants to hire an accountant or awards an assignment can consult the accountant’s register to check whether the person is registered and thus knows that this person has followed the necessary training and is bound and bound by the rules of conduct and professional rules.

In our opinion, the same set-up should also be arranged for DPOs. Only persons who have followed and obtained an accredited/certified training may be registered in a DPO register and may bear the title Register DPO (RDPO). In addition, ethical conduct must be secured in codes of conduct and professional rules. We believe that a professional code is necessary[2]. Only an RDPO can be registered in the register. It would be recommended if, for example, the Dutch DPA becomes the holder of such a register. An independent disciplinary board (yet to be established) could monitor compliance with the code of conduct and professional rules.

Ensuring the quality and ethical conduct of a DPO is a condition for compliance with the GDPR and for safeguarding privacy within society. Only then can individuals be better protected against unauthorized use of their personal data (invasion of privacy).

It is necessary to set explicit requirements with regard to training and rules of conduct for the DPO, which can also be tested. Everyone should have the opportunity to ensure that they are dealing with a well-trained and competent/honest DPO.

For these reasons, we advocate a register with only DPOs who meet the required qualities: the register of RDPO.

Due to the lack of an (inter)national register of DPOs, Duthler Academy drew up its own register a few years ago. The DPO Register[3] is the register in which aspiring DPOs (AFG) (i.e.: participants in the DPO Training Program) and certified DPOs (RFG) are included. The register is accessible to everyone via the internet and is managed by Duthler Academy. From 1 January 2019, DPOs who are registered in the register of the Duthler Academy are bound by these rules of conduct[4].

MYOBI is a Trusted Third Party (TTP) and has included in its conditions that participants must make the level of their accountability for compliance with the GDPR transparent with an Accountability Seal. MYOBI requests confirmation from the DPO of the participating company because third parties must be able to rely on the Seal. MYOBI can only do this if the quality of the DPO has been established and consults the DPO Register of Duthler Academy.

[1] In Section IV of the GDPR (Articles 37 to 39), the legislator has defined the position, tasks and preconditions of the position of Data Protection Officer (DPO). The supervisory authority, the Dutch Data Protection Authority (AP), has subsequently drawn up guidelines for DPOs that are based on the FAQ that the Article 29 (WP 29) working group developed in December 2016. Among other things, this further describes the expertise and skills that are required for the fulfillment of the position as DPO. The GDPR Implementation Act contains no further provisions regarding knowledge and skills for the DPO.

[2] The Ethics Working Group has therefore drawn up its own rules of conduct and professionalismand students and graduates of the Duthler Academy are expected to adhere to these rules. In particular, the working group found the discussion about the establishment of these rules to be valuable.

[3] Registry Data Protection Officer – Duthler Academy

[4] 181220-Core values-and-rules of conduct-FG-version-2.pdf (duthleracademy.nl)