Does your organization need to appoint a “Data Protection Officer”? Articles 37-39 of the EU’s General Data Protection Regulation (GDPR) require certain organizations that process personal data of EU citizens to appoint a Data Protection Officer (DPO) to record their data processing activities. Doing so is a lot more than perfunctory – you can’t just say, “Steve, our HR Director, you’re now our DPO. Congratulations!” The qualifications for the job are significant, and the organizational impact of having a DPO is extensive. You may be better off avoiding appointing a DPO if you don’t have to, while if you do have to the failure to do so can expose your organization to serious enforcement penalties.
Tasks of the DPO
The DPO performs the following tasks (Article 39 of the GDPR):
- Informs and advises the controller/processor and relevant employees of their obligations.
- Monitors the organization’s compliance with GDPR and other relevant data protection laws.
- Conducts staff training and raise staff awareness about processing operations and related audits.
- Provides advice as requested regarding the data impact assessment (DIPA) and monitor its performance.
- Cooperates with supervisory authorities.
- Acts as the contact point for the supervisory authority on issues relating to data processing.
All of the jobs listed above could theoretically be fulfilled by an organization’s senior executive with sufficient experience and authority within the organization, but the GDPR established special criteria for the skill level of the individual serving that role and a special level of protection for the DPO. Commentary from the Article 29 Data Protection Working Party (WP29) offered that “it is a relevant element that DPOs should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR.” The DPO must report directly to the “highest management levels” of the organization, and cannot be dismissed or even disciplined for performing his or her DPO duties. Article 38 also requires that the DPO be given sufficient financial resources, infrastructure and staff to perform his or her duties.
In addition to the financial and organizational commitments, the operational impact of the DPO designation on an organization can be significant. As the DPO Centre in London puts it, “Your CEO will be obligated to take your DPO’s advice, or document their reasons for not auctioning these recommendations, such that they can demonstrate their reasoning should it become necessary to answer to the Information Commissioners Office for any failure.”
So … Which Organizations Must Appoint a DPO?
Organizations must appoint a DPO if they process personal data of EU citizens and fall under one or more of the following categories (Article 37 of the GDPR):
- Public authorities.
- The “core activities” of the organization “require regular and systematic monitoring of data subjects on a large scale”.
- Organizations that process “sensitive” personal data, such as data showing racial or ethnic origin, political opinions, religious or philosophical beliefs, health data or criminal convictions and offenses.
The tricky – and probably largest – category is the catch-all second category, organizations whose “core activities” “require regular and systematic monitoring of data subjects on a large scale”. The WP29’s view of an organization’s “core activities” covers “key operations necessary to achieve the organisation’s goals”, but not “necessary support functions for the organisation’s core activity or main business”. So, for example, all organizations process personal data to some extent in fulfilling payroll obligations, without making those “core activities”.
Samantha Sayers of PWC notes that, “regular and systematic monitoring of data subjects” includes online or offline monitoring activity that occurs at regular intervals as part of an organization’s general plan for data collection. Examples suggested by the WP29 include:
“operating a telecom network; providing telecommunications services; email retargeting; data-driven marketing activities; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc.”
To determine whether systematic monitoring is “large scale”, look to (i) the number of data subjects concerned, (ii) the volume of data, (iii) the duration of processing and (iv) the geographic extent of the data processing. (Source: “Guidelines on Data Protection Officers”, published by the WP29).
Some organizations will easily fall under one of the above categories, and will be required to appoint a DPO. But many organizations will not. If your organization does not fall under one of the above categories, does that mean you need not appoint a DPO? Yes and no. It may still make sense for your organization to appoint a DPO, though you are not required to do so. So … why not just go ahead and do it anyway – what’s the big deal?
Why Not Just Appoint a DPO (even if you don’t have to)?
For starters, there are costs. There are payroll costs (for in-house appointees) or professional fees (for engaging outside firms). There are organizational burdens associated with having an executive whose only job (or significant responsibility) is reporting to management on data privacy issues. There is also a potential implicit acknowledgment from appointing a DPO, that the organization has implemented an enhanced level of data protection responsibility, which may or may not be borne out in actual enhanced protections. Or put another way, if you’re going to appoint a DPO, you can’t half-ass it. You really do have to appoint an individual with “expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR” (WP29 “Guidelines”), who reports directly to the “highest management levels” of the organization (same), and who is given sufficient financial resources, infrastructure and staff to perform his or her duties (Article 38).
But … Why May You Want to Appoint a DPO (even if you don’t have to)?
Here’s an argument for why: You anticipate that, while your organizations does not (yet) handle the requisite type of sensitive data or does not (yet) conduct “regular and systematic monitoring of data subjects on a large scale”, you anticipate that one day soon you will. Or you have ambition to do so, and you want to build systems and processes to anticipate and enhance business growth. Or you expansively interpret Article 25’s mandate (to “implement appropriate technical and organisational measures … which are designed to implement data-protection principles”) to include organizational leadership establishing a culture of data privacy and data protection.
Or perhaps you see a strategic advantage for your organization in doing so. As Daniel Hedley of Irwin Mitchell writes, “most technology- or data-driven businesses of any size or complexity will, I think, find that having a nominated DPO is advantageous, not only in terms of its own internal compliance efforts but also in sending a message to its customer base that it takes compliance seriously” (quoted in GDPR & Beyond). Equally so, in some cases, a DPO appointment may be required by that same customer base as a condition of contracting under vendor and customer agreements, regardless of whether technically required under GDPR Articles 37-39. And in that case, it is a business (rather than legal) decision about the timing of taking on the added benefits and burdens.
This last point about contract requirements might also be absorbed into an organization’s internal DPO analysis of the DPO appointment requirement in the first place, where an organization determines that the DPO appointment is inevitable.
Add Comment