Presentation of the role of the data protection officer under the draft EU General Data Protection Regulation

1. The rôle of the Data
Protection Officer
Gavin Llewellyn
Senior Associate
Intellectual Property
President, IP Commission, Union Internationale des Avocats
The New EU General Data Protection Regulation
UIA, Madrid,18th April 2015

2. Adviser, auditor or enforcer?

3. Option to designate a DPO
(unless required by Union or Member State law)

4. Requirements of the DPO

5. Articles 35 & 36
• To have the expert data protection
knowledge to fulfil the tasks set out in
Article 37
• Contact details to be published and lodged
with the NDPA
• Perform tasks independently and in the
absence of conflicts of interests
• Report directly to the highest management
level of the controller or processor

6. Tasks of the DPO

7. Article 37
• To inform and advise the controller or
processor and the employees who are
processing personal data of their
obligations
• To monitor the compliance and application
of policies on data management, including
staff training, awareness-raising and
assignment of responsibilities

8. Article 37
• To monitor and advise on the use of PIAs
(Article 33) and prior consultation (Article
34)
• To monitor responses to requests from the
NDPA
• To co-operate with and act as a contact
point for the NDPA

9. Major areas of contention

10. Importance of the DPO
How much work involved?
Full-time or part-time position?
Cost implications
Criteria for deciding who does and does not
need a DPO

11. Benefits of a DPO

12. Need to manage data like any business
process
Not just a box-ticking exercise
Identify personal data at an early stage
Part of overall risk assessment of an
organisation
Privacy enhancing technologies
Privacy as a brand differentiator

13. Gavin Llewellyn
00 44 207 324 1524
gll@stoneking.co.uk