The Role and Responsibilities of the GDPR Data Protection Officer

The EU GDPR and UK GDPR require organisations to appoint a GDPR Data Protection Officer (DPO) if their data processing activities meet specific criteria. The GDPR DPO is mandatory for pharma or biotech companies processing health-related information on data subjects in the EU or UK. The DPO’s role and responsibilities are distinct from those of the Data Protection Representative (for companies not established in the EU or UK). The DPO role should not be confused with other roles, such as the legal representative under the Clinical Trials Regulation.

Are you a pharmaceutical SME embarking on clinical trials in Europe? Do you have the breadth of knowledge and experience in applying the legal aspects of the GDPR to your data processing activities? Are you daunted by the task of appointing a DPO?

This article describes the roles and responsibilities of the GDPR Data Protection Officer. It explains how these differ from the Data Protection Representative and Legal Representative roles. We mention the primary considerations when appointing a DPO and explain the benefits of a DPO as a service.

The Data Protection Officer (DPO)

The DPO is an integral part of your organisation (whether an employee or externally contracted) and is ideally placed to ensure GDPR compliance. The main task of the data protection officer is to ensure that the company processes the personal data of its staff, customers, providers, patients or any other data subjects in compliance with the applicable data protection laws, in this case, the GDPR.

Responsibilities of the DPO

The DPO must ensure that the company respects the data protection rules in cooperation with the data protection authority. The DPO must:

• Inform data subjects of their rights under the GDPR and act as a contact point for requests from individuals regarding processing their personal data and rights.
• Inform the controller or processor, including their employees, of their obligations and responsibilities under the GDPR and raise awareness through training.
• Monitor compliance of the organisation in relation to the protection of personal data under the GDPR, including audits, giving due regard to the risk associated with processing operations, considering the nature, scope, context and purposes of the processing.
• Draw the company’s attention to any compliance issues.
• Give advice and recommendations to the company where a Data Protection Impact Assessment (DPIA) has been carried out, interpreting or applying the data protection rules and monitoring the DPIA’s performance.
• Cooperate with the supervisory authorities, Data Protection Authorities (DPA), responding to requests about investigations, complaint handling, inspections, etc.

Appointing a DPO for clinical trials

Appointing a DPO can be challenging. Especially if this is the first time you have had to comply with the GDPR or you are still trying to get your head around the nuances of the Regulation and how it applies to pharma working practices. After all, you’re about to appoint someone who will oversee your GDPR compliance, and you must be able to trust them.

In the pharmaceutical or biotechnology sectors, your DPO must possess knowledge of data protection law in Europe and a wider knowledge and expertise of how to apply it to pharma working practices.

The DPO should also be sufficiently independent to avoid conflicts of interest between organisational roles and responsibilities.
To ensure independence, an organisation must honour the following:

1. The organisation should refrain from giving any instructions to the DPO that may conflict with the performance of their duties
2. There must not be a conflict of interest between the individual’s duties as a DPO and their other responsibilities, if any (e.g., the company’s lawyer is not a good choice as the DPO has regulated reporting responsibilities that may conflict with lawyer‐client privilege).
3. The DPO should only report to the highest level of management. They should have the authority to investigate and access to all personal data and processing activities.
4. The organisation must offer staff and resources (including training facilities) to support the DPO’s duties.
5. The organisation must set out a minimum term of appointment and strict conditions for dismissal for a DPO post. The DPO should not be an employee on a short or fixed-term contract.

EU and UK Data Protection Representative (DPR)

Controllers without a legal presence in the EU/UK must appoint a Data Protection Representative in the country/region.
The primary tasks of an EU/UK representative are:

• responding to any inquiries Data Protection Authorities (DPA) or data subjects may have concerning data processing.
• receiving legal documents for the company as an authorised agent and maintaining records of processing activities
• making data processing records accessible to supervising authorities when requested
• being subject to enforcement proceedings in the event of a company’s non-compliance with the Regulation.

Please note: the Data Protection Representative is not the same as the Legal Representative under the Clinical Trials Regulation (CTR), who ensures compliance with the sponsor’s obligations under EU CTR and notifies the sponsor immediately in the case of becoming aware of incompliance with EU CTR.

Can a DPO fulfil the role of an EU or UK Representative?

Although nothing in the legislation prohibits an individual from fulfilling both roles, there is likely a conflict of interest. A DPO playing both roles may feel conflicted about receiving concerns from data subjects of the DPA, as their principal obligation is to facilitate the organisation’s compliance with the GDPR. Therefore, most companies should keep the two roles separate, avoiding potential conflicts of interest and compliance issues that may arise.

Data Protection Officer as a Service

Our specialist team at Pharma Data Protection offer GDPR Data Protection Officer as a service, giving you the peace of mind that your company’s data protection and regulatory compliance requirements are in reliable, experienced hands. Our specialist team ensures you meet every aspect of your DPO responsibilities.
Our comprehensive DPO service can help you meet your data protection and regulatory compliance requirements and DPO responsibilities offering the following benefits to your research organisation:

• We help you create a culture of data protection, keeping your organisation and employees up to date on your obligations under the GDPR and any other applicable EU member state or UK data protection provisions.
• We manage your GDPR compliance action plan and monitor your organisation’s compliance with the GDPR.
• We train your staff on GDPR compliance, perform audits and maintain regulatory records.
• We act as your point of contact with the data protection supervisory authorities.
• We help you perform Data Protection Impact Assessments (DPIAs).
• We support you in creating, updating and reviewing mandatory data protection documentation (including policies and procedural documents).
• We advise you on Data Subject Access Requests (DSARs), data breach monitoring, management, and reporting.

Supported by our team of experts, GDPR Pharma Data Protection’s DPO service is delivered to multiple clients, allowing us to draw on good practice from our whole client base to help your organisation.

We provide objective, independent advice and an extra layer of accountability and support to your organisation – an indication to the regulatory authorities of your commitment to transparency and legal responsibility.