The Data Protection Act 2017 (“the DPA”) is the main legislation in force in Mauritius governing the protection of the privacy rights of individuals pertaining to the processing of their personal data. Section 22 of the DPA provides that ‘every controller shall adopt policies and implement appropriate technical and organisational measures so as to ensure and be able to demonstrate that the processing of personal data is performed in accordance with this Act.’ One of the measures outlined in this Section of the DPA refers to the designation of ‘an officer responsible for data protection compliance issues’. The designation of a Data Protection Officer (“DPO”) is therefore mandatory under the DPA for companies in Mauritius.
The Data Protection Officer Role
The DPO plays a crucial role within an organisation and he should clearly work within an independent environment and manner, report to the highest management level (depending on the hierarchy structure) and have adequate resources to ensure he can perform his function to the best of his capabilities, and enable the controller or processor to meet its obligations under the DPA.
The minimum tasks that a Data Protection Officer should do would typically include:
- Inform and advise the controller/processor and its employees about their obligations to comply with the DPA and other data protection laws;
- Monitor compliance with the DPA and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits; and
- Be the focal point of contact for the Data Protection Officer and for data subjects
While the above is not an exhaustive list, controllers or processors may add other specific tasks related to data protection to the scope of work of the DPO for them to meet their specific business needs.
Conflict of Interest
One important aspect that controllers and processors should keep in mind is to ensure that in instances where a new or existing employee will combine the role of DPO with another one, this does not lead to a conflict of interest. Basically, this means that a DPO cannot and should not hold a function within a company that leads him to determine the purposes and means of processing of personal data. Furthermore, if the DPO is wearing different hats in the business, the controller or processor should ensure that the DPO does not have competing objectives which may lead to the DPO role and responsibilities becoming a secondary role to business interests. As a matter of concrete example, roles which may conflict with the DPO function are Chief Executive, Chief Operating, Chief Financial, Head of Marketing, Head of Human Resource and Head of IT Department to name a few.
Depending on the specificities of the organisational structure of a company, in reality it may be difficult not to say impossible to completely avoid situations where conflict of interests may arise. In these situations, it is recommended to implement appropriate measures to ensure that adequate mitigation of risks arising out of the conflict of interest.
Characteristics of a Data Protection Officer
First and foremost, a DPO should have professional experience and knowledge of relevant data protection laws, regulations and standards. A good knowledge of the business sector in which the controller or processor is, the operations and IT systems in place are recommended as well. The law does not provide for any specific academic or professional qualification for the job, however as a matter of good practice, it would be encouraged that the DPO followed professional training / holds professional qualifications in the subject matter, or can demonstrate adequate experience in this field.
It is important to note that the responsibility for compliance and subsequent liability for non-compliance rest with the controller or processor. The DPO does not have any personal liability in case of non-compliance with applicable data protection requirements.
Controllers or Processors Obligations vis-a-vis the Data Protection Officer
Generally speaking, the DPO should be provided with necessary resources to be able to carry out his or her tasks. Additionally, subject to the processing operations, activities and size of the company, the below (non-exhaustive) resources should be provided to the DPO:
- Active support by senior management
- Sufficient time for the DPO to fulfil his task
- Adequate support in terms of financial resources, infrastructure and staff as appropriate
- Official communication of the designation of DPO to all staff
- Access to other services within the organisation so that the DPO receive information, input or support as appropriate
- Continuous training
The DPO role can be outsourced to a third party (individual or organisation) by virtue of a service contract. The outsourced DPO should have the same position, tasks and duties as an internal one would have had.
How can we help?
Our team assisted companies in several jurisdictions including Mauritius and the United Arab Emirates in their data protection compliance journey. As part of our services, we act as outsourced Data Protection Officer.
Advantages of outsourcing the Data Protection Officer role to us:
- Instead of one person, you will have a qualified and experienced team with international data protection compliance exposure at your service
- We define the scope of work and go the extra mile to ensure that you remain in compliance with the DPA and adhere to industry standards
- We have worked with companies evolving in different sectors including financial services, shipping, corporate secretarial, conciergerie and real estate to name a few
- Our team held the Data Protection Officer role for numerous companies in many countries