Providing for a practical guide for the Data Protection Officer (DPO) lies at the heart of this publication. As stated by the European Data Protection Board (EDPB) it is best practice for the DPO to have a work plan. What does such a work plan look like? Providing an answer to that question lies at the core of this publication. According to the EDPB, it is valued a good practice for the DPO (or the organisation) to compose a work plan, but the form or content of such a work plan is not discussed by the EDPB. In order to answer this central question, the two following (more concrete) ‘lines of orientation for a DPO work plan’ are being applied.
Firstly, the text as enshrined in the General Data Protection Regulation (GDPR) itself codifies an important line of orientation in the embodiment of Articles 37 to 39 of the GDPR in which the designation, positions and tasks of the DPO are discussed.
Secondly, an orientation line is found in the typical role the DPO is playing in the “daily data protection practice” which can be inferred from, among others, an action plan (or work plan) from an enterprise (institution or organisation). In pursuit of compliance with the obligations pursuant to the GDPR, at least the following steps (in any form or comparable language) can usually be distinguished.
- Establish GDPR policies.
- Make an inventory of personal data.
- Perform a GDPR baseline.
- Perform a GDPR gap-analysis.
- Perform a GDPR implementation.
- Perform GDPR review and update.
- Perform GDPR assurance and audit.
- Compose and communicate the GDPR accountability and reports.
The approach of “two lines of orientation” that is chosen for this practical guidance deliberately pursues to serve justice to the dichotomous practice of everyday life in which many DPOs operate. On the one hand, there is this continuous expectation that the DPO ‘will just take care of all we need to do’, while on the other hand, Articles 37 to 39 of the GDPR actually actively construct a certain distance between the DPO and the more operational GDPR activities. A special reason for this is to the benefit of preserving the independent functioning of the DPO which is emphasized among others in recital 97 of the GDPR.
Taking into account previous feedback on the legibility (and feedback on earlier manuscripts of this book), a deliberate choice is made to ‘where appropriate‘ just repeat (copy-paste) the content of certain previous paragraphs and/or parts of the book to promote the legibility and learning effects.
The mission, vision and strategy of the DPO work plan are taken as a starting point to compose general ‘tables of reference for the DPO’, which entail ‘connecting factors for more depth’ of each of the subjects that are mentioned in the specific chapters. The lay-out of these tables are equal in every chapter and are primarily intended for orientation for more concrete elaboration by the DPO in his or her work plan in accordance with their own enterprise, institution or organisation.
The GDPR defines a number of important tasks for the DPO which are in some way positioned on a ‘thin line of fragile checks and balances’ of various GDPR stakeholders. The specific positioning of the DPO is also relevant for the success of one of the most important goals of the GDPR, protecting the fundamental rights and freedoms of natural persons (‘data subjects’ in the GDPR) and in particular the right to protection of their personal data pursuant to Article 1(2) GDPR.
According to the European Data Protection Board (formerly operating as WP29), the DPO (or the organisation) should avail of a work plan which the organisation will use as a basis for providing, among others, ‘necessary resources’ for the DPO. With the entry into force of the GDPR as of 25 May 2018, the need to work on professional maturity of the Data Protection Officer (DPO) became more and more urgent. Moreover, the Spanish supervisory authority (AEDP) was the first European privacy supervisory authority that (although not based on Article 42 GDPR) to publish a “Certification Scheme of Data Protection Officers” in which a number of concrete knowledge and competence areas are mentioned, followed by the ‘CNIL Certification Scheme of DPO Skills and Knowledge’ in September 2018. This certification scheme of the French Data Protection Authority introduced certification criteria setting out, in particular, the conditions for admissibility of applications and the list of 17 DPO skills and knowledge required to be certified and also contained accreditation criteria setting out the requirements applicable to certification bodies wishing to be accredited by the CNIL to certify DPO skills and knowledge.
This publication is part of a larger series of publications for the professional DPO. Especially for junior and medior/advanced (and even some senior/expert) level DPO’s the following two additional sources are considered to be an indispensable work of reference:
- Handbook Certified Data Protection Officer, Body of Knowledge & Skills (BOKS), EIPACC (2021) and
- Business Companion Data Protection, Practical GDPR Guidance, EIPACC (2021)
- GDPR Official Resources, A comprehensive collection of the most important official resources for a better understanding of GDPR, EIPACC (2021)
This complete body of reference (which can be retrieved from www.dataprotectionbooks.com) is also very suited (thus recommended) for a larger group of data protection practitioners, such as:
- Certified data protection officers (CDPOs)
- Privacy Officers
- GDPR managers
- GDPR lawyers
- GDPR IT specialists
- GDPR IT lawyers
- GDPR compliance specialists
- GDPR security specialists
- Chief Technology Officers
- Chief Data Officers
- Head of Legal Affairs
- VP Digital Ethics
- Thought leaders in Artificial Intelligence (AI)
- Head of AO / IC
- Data privacy activists
- GDPR business model managers
- General Counsels
- All other employees / officers / experts involved with data protection
Those who are looking for an introductory level course to prepare for a better understanding of key concepts of the GDPR are referred to ’Privacy and Data Protection, Certified GDPR Compliance, which can be accessed by visiting: https://www.udemy.com/course/european-institute-certified-gdpr-data-protection-compliance/
While researching and compiling publications relevant for this handbook, we have been guided by the so called FAIR principles. Findable, Accessible, Interoperable and Reusable resources were collected and organized in a chronological order to produce a book that would meet the first needs of Europeans and non-Europeans who are professionally (as data protection practitioner, controller, employee, consultant, scholar or otherwise) or personally (as a citizen, data subject et cetera) interested in the role, positioning and tasks of the Data Protection Officer as envisaged in the GDPR.
Meanwhile, it has been more than 20 years (starting back in 2001) since I, in the capacity of ‘first DPO in the Netherlands for a non-departmental agency and former board member/vice-president of the Dutch Association of Data Protection Officers, emphasized the importance of developing a solid ‘knowledge curriculum’ for the DPO in practice. Since 2007 – when I conducted the first ‘Professional Training for the DPO’ for the Dutch Privacy Academy (NPA) – the number of practical knowledge and competence requirements has risen and the DPO has, more than ever, become a ‘jack of all trades’ that needs to constantly keep in mind the practice of the organisation and all the interests that are involved with this. In light of this background, the following considerations have, among others, contributed to the creation of this practical guidance.
1. The entry into force and applicability of the GDPR as of 25th of May 2018 has triggered the need for taking the position of DPO more seriously as it introduces a new generation of DPOs. In the spirit of ‘nobility obliges’, it is my conviction that more experienced (senior) DPOs (maybe more than ever before) should share their knowledge and experience with each other and especially with the new flock of DPOs. Moreover, regular professional feedback (sparring) sessions amongst DPOs can, according to me, provide for a certain enrichment of insights and experiences between professionals, which we need for reaching new maturity levels. In that respect, fuelling the new DPO with some practical orientation points is one of the ambitions of this practical guidance.
2. As mentioned above this practical guidance is part of a larger training program for future Data Protection Officers, especially those who aspire to get certified as per the CDPO Certification Scheme of the European Association of Data Protection Professionals (EADPP). As constituent Chairman of this EADPP Certification Committee a comprehensive DPO Body of Knowledge & Skills was designed for future DPO’s to get in command of required expertise and competencies. See also www.certifieddataprotectionofficers.com.
On the other hand, this practical guidance is part of a strongly practice-based implementation training (GDPR implementation management with sufficient attention to the position of the DPO) which is suitable for everybody that deals with the GDPR professionally or is interested in the GDPR for other reasons.
3. To some extent, the content of this book is promoting a more contentious debate on the professionalization of the DPO in general and in the area of ‘fundamental rights and freedoms’ in particular. The significance of this is also highlighted by the European Data Protection Board while stating that, ‘DPOs should be given the opportunity to stay up to date with regard to developments within data protection. The aim should be to constantly increase the level of expertise of DPOs and they should be encouraged to participate in training courses on data protection…’. Within the context of the continuous learning needs of the DPO, this handbook hopes to contribute to the development of next levels of professional DPO maturity.
4. The practical approaches of this book are written as a ‘first impression’ of what the role of the DPO could entail within the meaning of the GDPR, taking into account the longitudinal study (almost three decades) of the phenomenon “personal life” and many years of experience as a DPO practitioner. Although the DPO as such is not a new position in European data protection law, it is noted that in the present codification of the DPO in the GDPR, this “officer with a special mission” is relatively new (explicitly multidisciplinary) and needs to gain the necessary experience. In my view it could help to share already existing knowledge, experience and practical insights with the “DPO 3.0.
5. Having a background as a seasoned DPO practitioner (see www.romeokadir.eu) it may not come as a total surprise that in my opinion the context in which a DPO ought to function deserves more attention. In the first place for the practising DPO, in the second place for all stakeholders of a professionally performing DPO and finally for securing the fundamental rights to privacy (private life) and data protection as important societal achievements of data subjects acting in multiple societal roles (citizen, customer, consumer, client, patient, employee, parent etc.) in our civilized societies and in the daily practice of every enterprise, institution or organisation.
Last but not least, a word of sincere thanks to all students, the many participants of various DPO trainings, candidate-DPOs, fellow DPOs, GDPR specialists, colleague professors and others who contributed in their own way to intellectually sharpen the thoughts of (voluntary) designation, positioning, tasks and the practical functioning of the DPO. This book is also the result of this highly appreciated dynamic.
On behalf of the entire editorial team, we wish you an interesting DPO learning experience.
About the author
Professor mr. drs. Romeo F. Kadir MA MSc LLM LLM (Adv) EMBA EMoC
Romeo Kadir has over 25 years of experience as a privacy and data protection professional. He is President of the GDPR Certification Committee Academic Board of the European Association of Data Protection Professionals (EADPP), Ph.D. Researcher at Molengraaff Institute, Utrecht University (UU, Netherlands), Senior Associate Fellow with Vidhi Centre for Legal Policy (New Delhi), Honorary Visiting Professor in the field of Privacy & Data Protection Law at Universitas Padjajaran (Indonesia) and O.P. Jindal Global University (New Delhi). As President of the European Institute for Privacy, Audit, Compliance & Certification (EIPACC), he is an often consulted expert for data protection audits and reviews. As an active member of the International Board of Experts with EuroPrivacy – a premier EU Certification Scheme – he is actively involved with the development of an EU GDPR Data Protection Seal.
As of 1988 the author is involved with executive education, training and coaching of many professionals in the field of data protection or related fields, among which, data privacy experts, data managers, GDPR managers, Data Protection Officers (DPO’s), Privacy Officers, lawyers, ICT specialists, Compliance Officers, Auditors, Risk Officers, Security Officers, CISO’s, Chief Technology Officers, Chief Innovation Officers, VP’s Digital Ethics, General Counsels and many others. For more info, see www.romeokadir.eu.