Does my business need a data protection officer?
When GDPR comes into force, many organisations will find themselves legally obliged to appoint a Data Protection Officer (or DPO). Even where no legal obligation applies, the appointment of a DPO may represent good business sense and present a number of opportunities.
Legal obligation to appoint
Article 37 of the General Data Protection Regulation (GDPR) provides three instances in which an organisation must appoint a DPO, these are where:
- processing is carried out by a Public Authority (except for courts acting in their judicial capacity);
- core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; and
- core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
The terms core activities, large scale, regular and systematic monitoring, and special categories of data are explained in length in the ‘Guidelines on Data Protection Officers’ document found on the European Commission website https://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083
Importantly, Member states will also have the option to introduce additional instances which mandate a DPO appointment. For example, the new proposed Federal Data Protection Act in Germany will require businesses to appoint a DPO if they have ten or more employees that permanently process personal data. Businesses should therefore ensure they monitor any requirements under accompanying national data protection law, as well as their obligations under the GDPR. Importantly, organisations that are required to appoint must publish the details of their DPO and communicate these to the relevant supervisory authority.
Best practice and demonstrating competence
Organisations that fall short of the criteria set down in GDPR but that routinely process personal data may nonetheless recognise the benefits associated with appointing an individual who is on hand to provide expert data protection advice. In particular, given the level of risk associated with fines for GDPR infringements, it is likely data protection will increasingly become a fundamental consideration of general business competence.
About the DPO role
Article 39 of the GDPR, sets out the primary responsibilities of the DPO: to provide advice and information to their business in relation to the Regulation or other Member State data protection provisions; to monitor compliance with such obligations and laws; to assist with staff awareness and training (relating to processing); to assist with Data Protection Impact Assessments; and to act as the primary point of contact with Data Subjects and Supervisory Authorities.
High levels of protection and independence
To enable the DPO to carry out their duties effectively, organisations must ensure they are suitably trained and resourced and have direct access to the highest levels of management. The DPO should act with a high degree of independence from the business, in order that they are able to ensure compliance with the various obligations and processes associated with the Regulation. In relation to the compliance aspect of their role, the DPO should enjoy protection from punishment by the organisation when carrying out these tasks.
Appointing the right person
Article 37 the GDPR requires the Data Protection Officer to have expert knowledge of data protection law and the ability to fulfil the tasks outlined in Article 39 of the Regulation. In its publication ‘EU General Data Protection Regulation. An Implementation and Compliance Guide’, IT Governance recommends such training and competencies for DPOs might include: a law degree, with a specialisation in data privacy law; professional qualifications or certification relating to data protection and / or information security; professional qualifications or certifications relevant to the industry or sector in which they are working; experience implementing data protection measures and / or frameworks and in managing key systems and processes involved in securing personal data; and experience with risk management standards and frameworks. Although these are just suggested suitability criteria, it is advisable organisations are able to illustrate at least some of these or equivalent credentials.
Outsourcing the DPO role
As long as they meet the necessary criteria, the DPO role can be performed by an existing member of staff, a new hire, or an outsourced specialist. Typically the size and needs of the business will determine whether the role can be effectively performed as part of an individual’s existing role, or whether the role itself should be a full time one. The important factor to consider will always be whether the individual has enough time to fulfil the role as a DPO, given their other responsibilities.