The Data Protection Officer

Transcription

1 The Data Protection Officer Profession, Rules, and Role Paul Lambert

2 CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed on acid-free paper Version Date: International Standard Book Number-13: (Hardback) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access ( or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at and the CRC Press Web site at

3 CONTENTS Guiding Points for Data Protection Officers Abbreviations xvii xxiii Section 1 A NEW PROFESSION 1 New Role: New Impact 3 Introduction 3 The Parties 3 Personal Data Use and Compliance 4 What Data Protection Is 5 Need for Data Protection 7 Growing Importance of Data Protection 8 Data Protection Regime 15 Outward-Facing Data Protection Compliance 15 Inward-Facing Data Protection Compliance 16 A Rights-Based Regime 16 Supervisory Authority 16 Data Protection Issues 17 General Criteria for Data Processing 19 Data Protection Overview 19 Legitimate Processing 24 Key/Topical Issues, Cases, and Legislation 24 Categories of Personal Data 31 General Personal Data 32 Sensitive Personal Data 32 Conclusion 36 Click here to order "The Data Protection Officer: Profession, Rules, and Role" by Paul v Lambert.

4 vi Contents 2 New Profession 37 Introduction 37 Designation of the Data Protection Officer 39 Independence 39 Cannot Be Dismissed or Penalized for Doing Job 40 Reporting Line 41 Data Protection Officer 42 Qualifications and Expertise of the Data Protection Officer 44 Independent in Role and Functions 45 Resources 45 Description 45 3 New Role in Organizations 47 Introduction 47 Data Protection Officer 47 Position of the Data Protection Officer 48 Tasks of the Data Protection Officer 49 Section 2 THE REGULAtiON 4 New Data Protection Regime 53 General Data Protection Regulation Sections 53 General Data Protection Regulation Chapters 54 General Provisions 55 Principles 55 Rights of the Data Subject 55 Controller and Processor 57 Transfer to Third-Party Countries or International Organizations 59 Independent Supervisory Authorities 59 Cooperation and Consistency 60 Cooperation 60 Consistency 61 European Data Protection Board 61 Remedies, Liability, and Sanctions 62 Provisions for Specific Data Processing Situations 62 Delegated Acts and Implementing Acts 63 Final Provisions 63

5 Contents vii Section 3 ROLE 5 Role, Obligations, and Position 67 Introduction 67 New Role of Data Protection Officer 67 Role and Position 68 Independent in Role and Tasks 68 Resources 69 Group Data Protection Officer 69 Contact Details 70 Reporting 70 6 Independence Needed 71 Independence 71 Instructions Regarding Tasks 71 Cannot Be Dismissed or Penalized for Performing Tasks and Functions 72 Report to Highest Management Level 72 7 Relationship with the Management Board 75 The Management Board in General 75 Reporting to Management Level 75 Promoting Data Protection to the Management Board 76 8 Relationship with Management Director Responsible for Data Protection 81 Management Director 81 9 Relationship with Information Technology 83 Data Protection Officer and the Information Technology Function Relationship with Product Development 89 Product Development 89

6 viii Contents 11 Relationship with Human Resources 91 Human Resources Obligation to Maintain Records and Documentation Staff Training Guides 97 Staff Training 97 Section 4 TASKS 14 Tasks 101 Tasks under the New Regulation 101 Tasks Required by the New Regulation 103 Explicit Required Tasks under the New Regulation 103 Implicit Required Tasks under the New Regulation 104 Further Implicit Required Tasks Tasks in Detail 119 Explicit Required Tasks 119 Advising on Obligations 119 Inform and Advise the Controller of Their Data Protection Obligations 119 Inform and Advise the Processor of Their Data Protection Obligations 120 Inform and Advise Employees of Their Data Protection Obligations 121 Monitor Compliance 123 Monitor Compliance with Data Protection Rules 123 Monitor Compliance of with Other EU Data Protection Rules 123 Monitor Compliance with National Data Protection Rules 124 Monitor Compliance of the Policies with Data Protection 124 Monitor Assignment of Responsibilities 125 Awareness-Raising of the Controller/Processor 126

7 Contents ix Awareness-Raising of Staff 126 Training of the Controller/Processor 127 Training of Controller/Processor Employees Involved in Processing Operations 127 Internal Audits 127 Advising on Data Protection Impact Assessments 129 Provide Advice on Data Protection Impact Assessments 129 Cooperate with the Supervisory Authority 129 Cooperate with the Supervisory Authority 129 Contact for the Supervisory Authority 130 Being the Contact Point for the Supervisory Authority on Personal Data 130 Being the Contact Point for the Supervisory Authority on Prior Consultation 131 Consulting with Supervisory Authority on Any Other (Data Protection) Matters 131 Consulting on Any Other (Data Protection) Matters 131 Due Regard to the Risk Associated with Processing 132 Implicit Required Tasks of the New Regulation 132 All Data Protection Issues 132 Maintain Proper and Timely Involvement in All Data Protection Issues 132 Champion and Ensure Adequate Resources 133 Performing Tasks with Resources Necessary to Carry Out These Tasks 133 Accessing Personal Data and Processing Operations 133 Access to Personal Data and Processing Operations 133 Maintaining Expertise 134 Maintain Expert Knowledge 134 Contact Point for Data Subjects 134 Be the Contact Point for Data Subjects on All Issues Related to the Processing of the Data Subject s Data 134 Be the Contact Point for Data Subjects on All Issues Related to the Exercise of Their Rights 134 Avoiding Instructions on Tasks 135 Ensure That No Instructions Regarding the Exercise of Tasks Are Received 135 Avoiding Dismissal/Discipline on Tasks 135 Ensuring That Any Dismissal or Similar Actions Do Not Relate to Data Protection Officer Tasks (Which Are Protected) 135 Report Directly to Highest Management 136 Ensure Direct Reporting to the Highest Management Level of the Controller/Processor 136

8 x Contents Risk Issues 136 Avoid Conflicts 137 Ensure No Conflict of Interest between Data Protection Tasks and Any Other Tasks and Duties 137 Further Implicit Required Tasks 138 Compliance with the Data Protection Principles 138 Compliance with the Rights of Data Subjects: Transparency and Modalities 139 Transparent Information and Communication 139 Compliance with Rights of Data Subjects: Information and Access to Data 142 Information to the Data Subject 142 Right of Access for the Data Subject 142 Compliance with Rights of Data Subjects: Rectification and Erasure 146 Right to Rectification 146 Right to Erasure (Right to Be Forgotten) 146 Right to Data Portability 149 Compliance with Rights of Data Subjects: Right to Object and Profiling 149 Right to Object 149 Measures Based on Automated Decisions and Profiling 150 Compliance with Rights of Data Subjects: Restrictions 151 Restrictions 151 Compliance with Controller and Processor: General Obligations 151 Responsibility of the Controller 151 Data Protection Principles 157 Data Protection by Design and by Default 159 Joint Controllers 165 Representatives of Controllers or Processors Not Established in the Union 165 Processor 165 Processing under the Authority of the Controller and Processor 167 Records 168 Cooperation with the Supervisory Authority 170 Compliance with the Controller and Processor: Data Security 170 Security of Processing 170 Notification of a Personal Data Breach to the Supervisory Authority 171 Communication of a Personal Data Breach to the Data Subject 172

9 Contents xi Compliance with Controller and Processor: Data Protection Impact Assessment and Prior Authorization 174 Data Protection Impact Assessments 174 Prior Consultation 182 Compliance with the Controller and Processor: Data Protection Officer 183 Compliance with the Controller and Processor: Codes of Conduct and Certification 183 Compliance with Transfer of Personal Data to Third- Party Countries or International Organizations 185 Compliance with Remedies, Liability, and Sanctions 186 Compliance with Provisions Relating to Specific Data Processing Situations 187 Additional and/or More Specific Tasks 188 Training 188 Policies 189 Drafting Data Protecting Policies 189 Implementing Data Protection Policies 189 Updating Data Protection Policies 189 Reviewing Other Policies in Relation to Data Protection Sections and Issues 189 Contracts, Terms, and So On 190 Reviewed Data Protection Terms, References and Clauses in the Organization s Contracts, Terms, and So On 190 Existing IT Projects and Processing 190 Reviewing and Engaging in Existing IT Projects as Regards the Impact on Personal Data and Data Processing Compliance Issues and Risks 190 New IT Projects and Processing 191 Reviewing and Engaging in New IT Projects as Regards the Impact on Personal Data and Data Processing Compliance Issues and Risks 191 Access Requests (Additional) 191 Queries 192 Being the Point of Contact for Data Access Queries and Requests 192 Point of Contact 193 Communications 193 Audits (Internal) 194 Audits 194 Audits (By Supervisory Authorities) 195 Audits 195 Audits (Of New Proposed Products and Services) 195

10 xii Contents Audits 195 Employment Contract of the Data Protection Officer 196 Recitals on the GDPR 196 Main Articles of the GDPR 197 European Data Protection Supervisor 198 Adequate Staff and Resources 199 Information and Awareness-Raising Function 199 Advisory Function 199 Organizational Function 200 Cooperative Function 200 Monitoring of Compliance 201 Handling Queries and Complaints 201 Guaranteeing Independence 202 No Conflict of Interest between Duties 202 Staff and Resources to Carry Out Duties 203 No Receipt of Instructions Regarding the Performance of Duties 203 Access to Information and to Offices and Data-Processing Installations 203 Ensuring Compliance 204 Keeping Controllers and Data Subjects Informed of Rights and Obligations 204 Access to Data 205 Prior Notice of Processing 205 Section 5 TOOLS OF THE DATA PROtectiON OFFiceR 16 Tools of the Data Protection Officer 209 Introduction 209 Advantages of Data Protection Officers 209 Significant Cost of Getting Data Protection Wrong 211 Fines and Penalties 213 Director and Officer Responsibility 216 Data Subject Actions 216 Organizational Data Subject Groups Accessing the Data Sources 221 Sources and Locations of Personal Data 221 Sample Audit Inventory Queries 221

11 Contents xiii Customers/Clients 222 Employees 222 Sensitive Personal Data 223 Service Application Forms 223 Third-Party Requests for Disclosure 224 Staff Training and Awareness 224 Marketing 225 Customers 225 Prospective Customers 225 Project Management Activities 226 Information and Knowledge Management Practices 226 Contracts with Data Processors 226 Access Requests 226 Computer Systems and Security 227 Personal Computers of Employees 227 Removable Media 227 Network Security 228 Biometrics 228 CCTV 228 Personal Data Inventory Tool Tools and Access Rights 233 Access Right 233 Confirmation Right Regarding Personal Data 234 Access Rights Regarding Personal Data 235 Considering an Access Request 236 Dealing with Access Requests 236 Response to Access Request Records and Documentation Issues 241 Records and Documentation Engaging Processors 247 Processors Tools and Data Protection by Design and by Default 257 Data Protection by Design and by Default 257 Sample Tools 261 Recommendations 263

12 xiv Contents 22 Security and Data Breach Tools 265 Data Breach 265 Notification Processes 265 Security Standards 268 Incident Response 270 Breach and Security Data Protection Impact Assessment Tools 273 Data Protection Impact Assessment Obligation 273 Identifying When to Undertake a Data Protection Impact Assessment 274 Key Characteristics of Data Protection Impact Assessment 279 Key Elements of Data Protection Impact Assessment Report 281 Some Key Steps and Methodologies 281 Some Data Protection Impact Assessment Issues 282 Regular Monitoring Prior Consultation Data Breach 289 Data Breaches 289 Be Prepared 291 Why Being Prepared and Aware Is Important 292 Team 292 Lead Coordinator 292 Reporting 293 Board Level Responsibility 293 IT/IT Security 293 Legal and Privacy 294 Public Relations 294 Customer Relations 295 Employees and Human Resources 295 Police and Law Enforcement 295 Providers of Breach Resolution Services 296 Training and Preparing for Breach Incidents Sample Data Protection Officer Datasets 299 Sample Data Protection Officer Datasets 299

13 Contents xv 27 Model Tips and Guidelines for the Role and Tasks 303 Model Tips and Guidelines 303 Data Protection Officers: Preparing for the New GDPR Legal Regime 311 New Data Protection Officers 312 Appendix 315 Index 363

14 2 CHAPTER New Profession Introduction Chapter IV, Section 4 of the new General Data Protection Regulation (GDPR) creates the new professional role of and requirement for organizations to designate a formal data protection officer for the organization. There are rules in relation to Organizations designation of the data protection officer Groups of undertakings and the appointment of a single data protection officer The appointment of a single data protection officer by public bodies or public authorities This essentially creates a new profession, perhaps one of a number of new professions and career paths related to data protection issues and the new data protection regime. This emphasizes the new importance attached to personal data. Click here to order "The Data Protection Officer: Profession, Rules, and Role" by Paul 37 Lambert.

15 38 The Data Protection Officer: Profession, Rules, and Role Chapter IV, Sections 4 and 5 of the new GDPR contains Articles Specifically, these relate to the Designation of the data protection officer (Article 37) Position of the data protection officer (Article 38) Tasks of the data protection officer (Article 39) Codes of conduct (Article 40) Certification (Article 42) The data protection officer will be chosen on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the relevant tasks (Article 37[5]). The data protection officer will have expert knowledge of data protection law and practices, including Regulations. Technical and organizational measures and procedures. Expertise on technical requirements for data protection by design and by default, and for data security. Industry and sector-specific knowledge. Experience with the size of the controller or processor. Awareness of the sensitivity of the data processed. Ability to carry out inspections, consultation, documentation, and analysis (including outsourcing or delegating). Ability to work with data subjects and employees representation organizations. The organization must enable the data protection officer to take part in ongoing advanced training measures to maintain specialized knowledge.

16 New Profession 39 Designation of the Data Protection Officer The organization s new data protection officer should have professional qualities, expertise, and experience, and a particular expert knowledge of data protection law and practice. He or she needs to have the ability to understand and fulfill the tasks required under the GDPR and national data protection law. The data protection officer may be an employee of the organization or a contractor. The contact details for the new data protection officer need to be publicly available. These contact details should also be sent to the national data protection supervisory authority. The designation of a data protection officer is required in any case where The processing of data is carried out by a public authority or body (except for courts). The core activities consist of processing, which by virtue of nature, scope, and/or purpose, requires regular and systematic monitoring of data subjects on a large scale. The core activities of the controller or processor are on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10. Independence Article 38 (Position of the Data Protection Officer) states that The controller and the processor shall ensure that the Data Protection Officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

17 40 The Data Protection Officer: Profession, Rules, and Role Also, The controller and the processor shall support the Data Protection Officer in performing the tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her knowledge. And importantly, The controller or processor shall ensure that the Data Protection Officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing [the] tasks. The Data Protection Officer shall directly report to the highest management level of the controller or the processor. It is expressly made clear that the data protection officer shall not receive any instructions regarding the exercise of [the] tasks. This means that the organization shall not interfere with or pressure the data protection officer in his or her carrying out and exercising of tasks. The data protection officer is effectively independent in undertaking these tasks. The data protection officer is also independent in that he or she is free from direction or reporting requirements to other staff, managers, section heads, or particular product or service project managers. This means that the data protection officer cannot be pressured into approving certain activities or projects when certain doubts may exist as regards a new (or existing) data collection or processing activity. Equally, the data protection officer should not be pressured into ignoring a data protection analysis of new (or existing) activities that may raise data protection compliance concerns. Cannot Be Dismissed or Penalized for Doing Job Article 38 (Position of the Data Protection Officer) states that [The Data Protection Officer] shall not be dismissed or penalised by the controller or the processor for performing [the] tasks. It is therefore clear that significance, independence, insulation, and protection are being afforded to the new role of the data protection officer. Once the data protection officer has begun undertaking his or her official role and tasks, the organization cannot victimize, dismiss, or penalize the data protection officer.

18 New Profession 41 It is more of an open issue as to whether sanctions can arise in relation to data protection tasks and or other issues. However, given the possibility of threats, implicit threats, and constructive dismissal, it may well be difficult if not impossible to impose sanctions in relation to core data protection tasks, duties, and functions. It may seem easier to impose sanctions for purported errant activity that is outside of or unrelated to the core tasks and activities of the data protection officer. This may be difficult to demonstrate in practice, however, if there is a possibility of this other activity being referred to as a tacit punishment stemming from something occurring or not occurring in the data protection sphere. It may prove, in practice, to be difficult to disassociate data protection from other functions, with subsequent effects. This is in order to assist and ensure the independence of the data protection officer in carrying out his or her tasks, and to ensure that he or she has the confidence to be able to undertake and follow through on tasks without impermissible pressure, third-party interference, or unwarranted direction or intimidation. However, it should be noted that the data protection officer may be permitted to undertake tasks and duties other than data protection related tasks. If there are any other such tasks, or duties, they must not result in a conflict of interests. It might be argued that the insulation and protection afforded to the data protection officer may not extend to disciplinary procedures as regards these non-data protection related activities. However, it is notable that the provision states that the data protection officer shall not be dismissed or penalised for performing [the] tasks, suggesting the possibility of dismissal for performing other nonpersonal data tasks. The reference to duties and tasks does not necessarily distinguish between the different duties and tasks of the data protection officer (referring only to [the] tasks in Article 38[3]). It can quite likely be said that the protection that the data protection officer receives means that he or she may not be dismissed, regardless of the data protection and non-data protection tasks and duties undertaken, or at least that an organization may have a most difficult task in seeking to justify a particular sanction or dismissal. Reporting Line Article 38 (Position of the Data Protection Officer) states that The Data Protection Officer shall directly report to the highest management level of the controller or the processor.

19 42 The Data Protection Officer: Profession, Rules, and Role It is clear, therefore, that significance is being afforded to the new role of the data protection officer. Again, this assists and ensures the independence of the data protection officer in carrying out his or her tasks, and ensures that he or she has the confidence to be able to undertake and follow through on tasks without impermissible pressure, third-party interference, or unwarranted direction or intimidation. Data Protection Officer There may have existed a traditional view within organizations that the role of the person tasked with dealing with data protection issues was limited to dealing with outward-facing data protection queries such as access requests, data protection website queries, and the like. There may have been an understanding that human resources (HR) managers were responsible for dealing with all employee-related queries, including references to and copies of employee documentation and personal data. This is no longer the case. Now, there must be a designated data protection officer appointed within an organization. Furthermore, the role and tasks of the data protection officer are not limited to outwardfacing issues. The data protection officer will also be concerned with inward-facing issues. Employees and similar internal-facing individuals have data protection rights and will be able to address queries to the data protection officer independently of the HR function. Therefore, organizations must consider data protection officer issues and the GDPR in terms of internal-facing functions. Chapter IV, Section 4 of the new GDPR refers to data protection officers and the obligation for organizations to appoint data protection officers. The controller and the processor shall designate a data protection officer in any case where The processing of data is carried out by a public authority or body The core activities involve processing with regular and systematic monitoring of data subjects on a large scale The core activities involve processing of special categories of data or of criminal convictions or offenses data on a large scale* * GDPR Article 37(1).

20 New Profession 43 A group of undertakings may appoint a single data protection officer. * Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organizational structure. In cases other than those referred to in Article 37(1), the controller, processor, or associations and other bodies representing categories of controllers or processors may designate a data protection officer. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39. In some instances, therefore, the necessary level of expert knowledge may be determined, inter alia, according to the data processing carried out and the protection required for the personal data processed by the organization. The data protection officer may be a staff member of the controller or processor, or may fulfill the tasks on the basis of a service contract. The controller or the processor shall publish the contact details of the data protection officer and communicate these to the supervisory authority. The controller or the processor shall ensure that the data protection officer is involved in a proper and timely manner in all issues that relate to the protection of personal data. ** The controller or processor shall ensure that the data protection officer performs the tasks and duties independently and without instructions regarding the exercise of the functions. Data subjects may contact the data protection officer on all issues related to the processing of the data subject s personal data and the exercise of his or her rights under the GDPR. The controller or processor shall support the data protection officer in performing his or her tasks and shall provide the resources needed to carry out the duties and tasks. This could include, for example, staff, premises, and equipment. The data protection officer shall have at least the following tasks: * GDPR Article 37(2). GDPR Article 37(3). GDPR Article 37(4). GDPR Article 37(6). GDPR Article 37(7). ** GDPR Article 38(1). GDPR Article 38(3). GDPR Article 38(4). GDPR Article 38(2).

21 44 The Data Protection Officer: Profession, Rules, and Role To inform and advise the controller or the processor and the employees who carry out data processing of their obligations pursuant to the regulation and to other Union or Member State data protection provisions To monitor compliance with the regulation, with other Union or Member State data protection provisions, and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations and related audits To provide advice where requested regarding data protection impact assessment and monitoring of its performance, pursuant to Article 35 To cooperate with the supervisory authority To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter* Importantly, the data protection officer shall, in the performance of the tasks, have due regard to the risks associated with processing operations, taking into account the nature, scope, context, and purposes of processing. Qualifications and Expertise of the Data Protection Officer The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39. The data protection officer may be a staff member of the controller or processor, or may fulfill the tasks on the basis of a service contract. * GDPR Article 39(1). GDPR Article 39(2). GDPR Article 37(5). GDPR Article 37(6).

22 New Profession 45 Independent in Role and Functions The controller or processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of these functions. He or she shall not be dismissed by the controller or the processor for performing his or her functions.* Resources The controller and processor shall support the data protection officer in performing the necessary tasks and functions. The controller or processor, as appropriate, shall provide resources necessary to carry out the duties and tasks, which may include, for example, staff, premises, equipment, and any other resources. Therefore, a protection exists against under resourcing, even deliberate under resourcing, of the data protection officer. Description Organizations must designate a data protection officer To monitor internal compliance with the GDPR regime and rules Where the data processing is undertaken in the public sector Where the data processing requires regular and systematic monitoring of data subjects To ensure governance of the organization s data management To draft, review, and update compliant data protection policies To implement systems, changes, and functions in terms of being compliant * GDPR Article 38(3). GDPR Article 38(2).

23 46 The Data Protection Officer: Profession, Rules, and Role The data protection officer should be qualified and have particular expertise in data protection law and practice. There is a need for him or her to be able to fulfill his or her tasks in compliance and conformity with the GDPR. It appears that the data protection officer may be an employee or a contractor. The data protection officer s details must be made publicly available and the supervisory authority should be notified of the appointment. The organization must ensure timely involvement of the data protection officer in relation to all issues related to the protection of personal data and data subject issues, and proper and adequate resources must be supplied to the data protection officer by the organization to allow him or her to undertake the tasks. There is an obligation to ensure that the data protection officer has independence in his or her role and functions, and that he or she cannot be controlled, micromanaged, or instructed in relation to his or her tasks. The data protection officer will report to the board or to the highest management level as appropriate. This requirement also emphasizes the increasing importance attached to the understanding of and compliance with data protection. The data protection officer advises the organization and employees in relation to their data protection obligations under national law and the GDPR. He or she will also monitor compliance with the data protection legal regime as well as with internal policies, and will also be involved in assigning responsibilities, raising awareness, and staff education and training. Data protection officers should highlight changes and the new GDPR to the organization. Key issues need to be identified to appropriate management. New and ongoing change and compliance issues need appropriate resourcing. The data protection officer should assess which personal data the organization collects and processes, for which purpose, and where it is located and secured. Particular attention to outsourcing issues and contracts with processors is needed. Contracts, including service level agreements in relation to information technology (IT) systems, the cloud, and so on may be assessed. The various IT hardware, software, and systems that employees use need to be considered. The structure of the organization of groups needs to be considered, as well as jurisdiction and location issues. The life cycles, storage, and disposal of personal data are also important considerations for the new data protection officer. The relevant processes, policies, and documentation must be maintained by the organization, which places particular obligations on the data protection officer to consider the different documentation sets.