The General Data Protection Regulation (GDPR) is the first EU wide legislation to mandate organisations appoint a Data Protection Officer (DPO) in certain circumstances. Jan Van Vliet, VP and GM, EMEA, Digital Guardian, examines why it makes sense for organisations to bring a DPO on board.
The concept of a Data Protection Officer (DPO) for organisations processing personal data has been around for many years. However, the appointment of a DPO is a mandatory requirement under GDPR for certain types of companies, regardless of their size or whether they are processing personal data in their capacity as a controller or processor.
With just weeks to go before the GDPR comes into effect on 25 May 2018, organisations will need to establish if they need to appoint a DPO and who should undertake this important role.
Who is required to appoint a DPO?
Article 37 of the GDPR sets out three primary scenarios where the appointment of a DPO is mandatory:
- Data processing is carried out by a public authority or body, or
- The core activities of the controller or the processor consist of processing operations which require the regular and systematic monitoring of data subjects on a large scale, or
III. The core activities of the controller or the processor consist of processing on a large scale of sensitive personal data or personal data relating to criminal convictions and offences.
In other words, if you are doing any sort of analytics regarding people’s behaviour – say tracking purchases or page views on a website to provide personalised ‘you may like this’ recommendations – or regularly process and manipulate data relating to people’s health, ethnicity, sexual orientation, religious or philosophical opinions, then you are required to have a DPO. However, if your firm only processes HR data then a DPO is not required.
The Article 29 Working Party (WP29), one of the EU’s earliest commentaries on the detailed provisions of the GDPR, sets out a number of examples of large scale processing that include the processing of customer data in the regular course of business by a bank or insurance company, behaviouraladvertising by a search engine, and data (content, traffic, location) processing by telephone or internet companies. It also points out that ‘regular and systematic monitoring’ is not restricted to online behaviour and gives examples of profiling for credit scoring, fraud or anti-money laundering prevention, location tracking, and health and fitness tracking by wearable devices which, if large scale, will trigger an obligation to appoint a DPO.
What does a DPO do?
The GDPR is explicit about the tasks that DPOs are required to perform. These include informing the organisation and its employees of their data protection obligations and overseeing the training of staff, monitoring the organisation’s compliance and performance with GDPR and internal data protection policies, providing advice on data protection impact statements (DPIAs), serve as a contact point for individuals (data subjects) on privacy matters, and engaging with the ICO and acting as its contact point.
The regulation stipulates the DPO must report to top level management, be given all necessary resources to carry out their functions and should operate independently and without instruction from their employer about how they carry out their tasks.
The guidance also emphasises that the DPO is not personally responsible for non-compliance with GDPR. Liability remains with the controller or processor to demonstrate that processing activities are performed in accordance with the GDPR.
Who should be appointed?
There are currently no mandatory qualifications for who can be a DPO, although according to WP29 the following people cannot be a DPO: chief executive, chief financial officer, head of IT, head of marketing, chief operator officer or the head of HR, as this may result in a conflict of interest. Which makes it more likely that someone from in-house legal or compliance will be a popular choice and Article 37 does require the DPO to have ‘expert knowledge of data protection law and practices’.
It’s worth noting that the ICO confirms that firms can contract out the role of DPO externally with an individual or organisation. Having said that, any external DPO must have a good understanding of your firm’s data processing operations in order to be of real value.
Because DPOs need to have a complete understanding of the IT infrastructure and technical and organisational structure of the business, the best place to start looking for a DPO will be within the existing employee base.
Even if your firm does not have to make a mandatory DPO appointment, there are clear benefits to appointing one on a voluntary basis. Not will this demonstrate to the Information Commissioner’s Office that you are serious in your commitment to comply with your data protection obligations – it also sends a strong message to customers. A DPO is not required to be a permanent employee, but the data security knowledge and expertise they can bring to a business can be priceless.