As the clock ticks toward May 25, 2018 — the day the EU’s General Data Protection Regulation (GDPR) goes into effect — companies that store personal data of EU residents are working diligently to prepare. Among the more pressing (and sometimes confusing) aspects of the GDPR are those concerning requirements for designating a data protection officer (DPO).
In a 2016 white paper, the Article 29 Data Protection Working Party (WP29) — the EU’s interpreting body for the GDPR — offers clarification of the requirements concerning data protection officers, which appear in Section 4 of the legislation. Here are the answers to some questions you might have in determining whether you need a DPO and, if so, what the regulation requires.
“Does My Company Need a DPO?”
If you do business in the European Union, the WP29 affirms that you are required to designate a DPO if your organization fits one of the following descriptions:
- It is “a public authority or body,” which the WP29 interprets as encompassing national, regional, and local authorities, as well as other organizations “governed by public law.”
- Your core activities entail “processing operations, which require regular and systematic monitoring of data subjects on a large scale.”
- Your core activities entail “processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.”
Regarding the second criterion listed above, the GDPR provides little in the way of specific direction. In determining what “large scale” means in practice, the WP29 recommends considering four factors: number of data subjects, volume or variety of the data, time span (“permanence”) of the processing activity, and geographical span of the processing activity.
The WP29 goes on to offer some examples of large-scale processing of personal data:
- A hospital processing patient data
- A city’s transport system processing the travel data of its users, such as the use of travel cards
- An international fast-food chain processing real-time geolocation data of its customers for statistical purposes
- An insurance company or a bank processing customer data in its regular course of business
- A search engine processing user data for behavioral advertising
- A telephone or internet service provider processing data such as content, traffic, and location
Examples of cases that would not constitute large-scale processing, according to the WP29, include individual physicians processing patient data and individual attorneys processing personal data relating to criminal cases.
Even if your company falls outside the parameters for the DPO requirement, you may want to consider designating one on a voluntary basis. This action can facilitate compliance with the regulation (for example, by giving your team an internal “go-to” expert on GDPR-related issues) and can also offer a competitive business advantage by demonstrating your commitment to protecting personal data.
“What Does the DPO Do?”
The DPO’s primary duty is to monitor internal compliance with the GDPR. The WP29 explains that this duty may encompass
- Collecting information on data processing operations
- Analyzing and testing compliance of processing operations
- Advising the controller or processor on compliance-related issues
It’s important to note that compliance itself is the responsibility of the data controller, not the DPO. The data protection officer serves as a point of contact for supervisory authorities and advises the controller on actions necessary to ensure compliance with the GDPR. The DPO bears neither personal responsibility for compliance nor liability for non-compliance.
“Must the DPO Be a Full-Time Employee?”
Article 37(6) of the GDPR states that the DPO may be a member of your staff “or fulfill the tasks on the basis of a service contract.” If you engage an external organization, the WP29 instructs that each member of the organization tasked with executing DPO duties must fulfill the relevant requirements for the position (see “What Qualifications Should a DPO Have?” below).
The WP29 also proposes that working with a team can have certain advantages, as “individual skills and strengths can be combined so that several individuals, working in a team, may more efficiently serve their clients.”
“Can My CTO Serve as DPO?”
While Article 38(6) of the GDPR allows DPOs to “fulfill other tasks and duties,” it requires that “any such tasks and duties do not result in a conflict of interests.”
The WP29 explains that the DPO may not hold a position that “leads him or her to determine the purposes and the means of the processing of personal data.” This encompasses senior leadership positions, as well as roles further down the organizational chart if they involve determining purposes and means of processing.
“What Qualifications Should a DPO Have?”
The WP29’s white paper advises that the DPO should “be chosen carefully, with due regard to the data protection issues that arise within the organisation.” It goes on to affirm that the DPO should have a thorough knowledge of your organization and your industry. Understanding of your processing operations, as well as your information systems and your data security and protection needs, is also key.
The WP29 points out that the DPO’s level of expertise should align with the nature of the data being processed. For example, an organization that processes large volumes of particularly complex or sensitive data will require a DPO with a higher level of expertise than one with simpler data processing operations.
The GDPR regulations concerning the data protection officer demonstrate the high level at which the EU is taking data protection seriously. Safeguarding individuals’ personal data is no longer a flimsy suggestion that organizations can frame as being “everyone’s responsibility.” By requiring that certain organizations designate an expert committed to GDPR compliance, the EU is taking a bold step toward ensuring that data protection becomes a permanent focal point of everyday business practices.
If you have questions about your company’s GDPR readiness, just give us a call.