I agree this is still a confusing area for the public sector where we have complex governance structures. However I too believe IG/IM functions are best placed to support a DPO given the need for independence and agree it cannot be anyone in senior management who is responsible for any information assets.
There may be arguments whether this should be a legal person (but may conflict with monitoring officer role) or IG/IM manager. I believe the latter has the most practical experience and does most of what is indicated in the guidelines. We represent the data subjects best interests and are independent. I see the 'reporting directly to senior management' being an issue for larger public sector bodies that follow a strict hierarchy of management.
There are a number of useful points from the Article 29 guidelines:
"In addition to facilitating compliance through the implementation of accountability tools (such as facilitating or carrying out data protection impact assessments and audits), DPOs act as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organisation)."
"The DPO plays a key role in fostering a data protection culture within the organisation and helps to implement essential elements of the GDPR, such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing, and notification and communication of data breaches."
"It is crucial that the DPO is involved from the earliest stage possible in all issues relating to data protection. In relation to data protection impact assessments, the GDPR explicitly provides for the early involvement of the DPO and specifies that the controller shall seek the advice of the DPO when carrying out such impact assessments."
"DPOs should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR. Knowledge of the business sector and of the organisation of the controller is useful. The DPO should also have sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller."
"In particular, controllers/processors are required to ensure that the DPO ‘does not receive any instructions regarding the exercise of [his or her] tasks.’"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|