Through recent decisions, the Litigation Chamber of the Belgian Data Protection Authority (BDPA) has examined the role of the Data Protection Officer (DPO) and set out its own interpretation of the requirements for this role, as well as the DPO's tasks.
In each case, the Litigation Chamber concluded – in a manner that may lead to controversy – that the (internal and external) DPOs appointed did not meet the requirements of the GDPR. The deadline for filing an appeal is still running in relation to these decisions, but it is already useful to look at the Litigation Chamber's position on this topic.
In summary, here are the top tips that result from this evolving case law:
- When recruiting a DPO, request evidence of expert knowledge of data protection law of the candidate in question, even when you work with a DPO agency;
- Carry out your own assessment of the candidate, even when you work with a DPO agency;
- If you are uncertain of the (best) candidate's expertise, compare the risk in your case of (i) continuing the search or (ii) hiring him/her and forcing the DPO to improve that expertise in the short/medium term;
- If there is a potential data breach, involve the DPO, but ensure that he/she is not involved in the decision on the risk (and on whether or not to notify the Data Protection Authority);
- Avoid having a DPO who is also head of any given department in your organisation;
- Ensure that there is a clear possibility for the DPO to report to the highest management level, and that this possibility is not limited to a yearly report.
Read on for more detail on the Litigation Chamber's reasoning – and how this might affect your organisation.