Data protection is teamwork
Small and mediumsized enterprises (SMEs) face the same challenge as large corporations in that they must implement numerous GDPR requirements and, due to their general accountability, must also be able to demonstrate compliance with all legal requirements. This creates an obligation to organise and document data protection.
Data protection officer as an advisory and oversight body
Even if the company has a company data protection officer, their tasks are focused on providing advice and oversight in accordance with Art. 39 GDPR. Conversely, the operational implementation of the other data protection obligations under the GDPR is not part of the data protection officer's tasks. In any case, his or her legal mandate does not directly serve to protect the appointing body, but rather the persons affected by data processing, such as employees, consumers or other persons who have contact with the company. According to Art. 38(4) GDPR, the data protection officer can be consulted by data subjects on all questions relating to data processing and the exercise of their rights. However, he or she also advises the company management and the specialist departments that handle personal data and monitors compliance with the existing data protection regulations by the controller or processor. The data protection officer's duties not only fulfil the legal requirements of the GDPR and the BDSG but also reduce corporate risks arising from the immense fines imposed under the GDPR.
The data protection officer performs his duties independently and reports directly to the highest level of management. He is entitled to involvement, support and further training, is protected against removal from office and, in the case of an internal data protection officer, is also protected against dismissal. The data protection officer may not be penalised for performing his duties.
In Germany, a data protection officer must be appointed by controllers or processors if they employ at least 20 people on a regular basis for the automated processing of personal data. In addition, there is a mandatory requirement to appoint a data protection officer, regardless of the threshold, if a controller or processor carries out processing operations that are subject to a data protection impact assessment (Art. 35 GDPR) or processes personal data on a commercial basis for the purpose of transmission, anonymised transmission or for market or opinion research purposes.
Further information and templates for data protection officers:
The addressee of the GDPR is clearly defined, but the details of its implementation can be tailored
The addressee of the GDPR is the controller, which is usually equivalent to the company (a limited company, a nonprofit limited company, a public limited company, a partnership limited by shares, etc.) or a legal entity within the group. Responsibility for the operational implementation of data protection therefore lies with the authorised management, such as the executive board or the board of directors. Typically, however, they do not have the necessary resources in terms of time and the necessary expertise in data protection law to perform this task competently. It is therefore necessary to delegate responsibility for operational data protection.
Mastering data protection as a team
If the organisational unit has appointed a data protection officer (DPO) either voluntarily or in accordance with legal requirements (Art. 37 GDPR, Section 38 BDSG), the DPO is available to provide advice and supervision based on their expertise, but is not responsible for operational support or implementation. Therefore, the operational implementation of data protection requirements is usually delegated and organised centrally or decentrally. In order to support the specialist departments in their operational data protection tasks and, in particular, to support and promote a uniform approach to data protection in complex or decentralised organisational units, a ‘data protection team’ can be formed. Such a team thrives on the exchange of information and is responsible for communicating the topic of data protection within the data processing organisation.
What roles are there in the data protection team?
The law only recognises the role of data protection officer. In the absence of legal requirements, a number of roles have emerged among those involved in data protection: data protection managers, data protection coordinators, data protection experts and data protection officers (for details of their tasks, see the practical guide Responsibilities and Tasks (DE)). The data protection officer supports the aforementioned functionaries within the scope of his or her legally defined advisory and supervisory function.
The data protection coordinator as an interface
Data protection coordinators, among others, have gained particular importance in practice. A characteristic feature of data protection coordinators in general is that they are either decentralised or at least deployed in a decentralised manner. Data protection coordinators form the interface between the specialist departments or local units (branches, plants, subsidiaries, etc.) and those responsible for data protection expertise and responsibility. They serve as decentralised contact persons within the respective specialist department or division and support the decentralised unit in all data protection processes within the framework of the process organisation. Based on corresponding specifications in the form of checklists and templates, coordinators support the specialist departments as data-processing units and ensure that data protection is effectively implemented in these areas (see job description for data protection coordinator (DE)).
Coordinators face a wide range of tasks
In addition, coordinators often take on the task of raising awareness and training employees on site. Coordinators answer simple data protection ques-tions themselves. Complex questions are escalated to a central data protection unit within the company or group, or to the responsible manager, or coordinated with the data protection officer for a response.
Communication is essential
In order to promote synergies and develop best practices, it is advisable for coordinators to communicate regularly with each other, as well as for the numerous data protection coordinators to com-municate with the data protection officer. Similarly, the responsible (department) head of the decentralised unit and the data protection coordinator should communicate regularly.
Special role: The data protection coordinator for external data protection officers
If an external data protection officer has been ap-pointed for the company, the coordinators must communicate particularly intensively and extensively. Data protection coordinators therefore have a special role within organisational units with an external data protection officer. Since this externally appointed person does not usually have the same knowledge of the operational processes at the appointing body as its own employees, they are dependent on appropriately competent contact persons within the appointing body. This further enhances the role of the data protection coordinator, who acts as a link to the external data protection officer, particularly in SMEs. With their daily presence within the responsible body, the coordinator often serves as the first point of contact for all data protection issues and then refers them to the data protection officer with legal expertise if necessary.
Coordinators need training
In terms of the necessary expertise and skills, data protection coordinators are becoming increasingly similar to designated data protection officers in practice. This is particularly true if the work associated with the role of data protection officer is mainly carried out locally by the data protection coordinators and data protection is to be handled uniformly within the organisation. Such a requirement exists, for example, in very large organisations where there is one officially appointed data protection officer and numerous decentralised data protection coordinators.
Responsibilities of a data protection manager
Data protection managers provide support from a central position within the company in the implementation of data protection regulations. They are regularly responsible for planning, setting up and controlling the data protection management system and its continuous development. Other typical tasks include developing and regularly reviewing (and, if necessary, adapting) existing data protection guidelines, as well as identifying potential data protection risks and developing appropriate solutions. The investigation of data protectionrelated incidents, the drafting of reports for company management and the management of a data protection department, if available, may also fall within the remit of the data protection manager. In some cases, they also carry out or supervise data protection audits and/or are responsible for conducting or organising data protection training (see job description for data protection manager (DE)).
Responsibility
As the daily work of the data protection manager is characterised by overarching, cross-departmental tasks, they hold a particularly responsible position. Internally, they regularly assume the legal obligations that are incumbent on management as the addressee of data protection law. In this respect, they take on their duties. The role of data protection manager may, but does not necessarily, come with corre-sponding authority to issue instructions.
Practice improves tasks and functions on an ongoing basis
Only the tasks and position of the data protection officer are directly derived from the law. All other actors described are based on role models in corpo-rate and public authority practice. Since there is a practical need for these roles but no legal regulation, the descriptions are based on practical experience but cannot be regarded as binding.
Note: For better readability, only the masculine form is used. All references to persons apply equally to all genders.