02 Mar Data Protection Officer: what is it and – most important – do you need one?
Data Protection Officer: what is it and – most important – do you need one?
Organisations in Europe and abroad are preparing for 25 May 2018, the day on which the General Data Protection Regulation (GDPR) becomes effective and a new data protection regime will be fully enforceable to the processing of personal data belonging to people who are in the Union. One of the most relevant changes in the new regime is the obligation for some organisations to appoint a Data Protection Officer (DPO), a corporate role tasked with facilitating compliance with the GDPR provisions.
The DPO may be a staff member of the organisation or fulfil his or her tasks on the basis of a service contract. In this second case, this role is often referred to as “DPO Service” or “Outsourced DPO”.
But what are the tasks of a DPO and which companies need to appoint one as soon as possible?
What is a DPO?
The concept of the DPO is not entirely new. While the old Data Protection Directive did not require organisations to appoint one, a few Member States introduced this role nationally.
The core tasks of the DPO under the new data protection regime are to
- inform and advise the organisation’s management about their obligations under the GDPR;
- to monitor the organisation’s compliance with EU and national data protection laws;
- to provide guidance and advice on Data Protection Impact Assessments (DPIA);
- to function as the main organisation’s contact point for people and institutions, including Data Protection Authorities.
Put it differently, the DPO function is conceived as the main point of reference for data protection matters within the organisation. His/her tasks are to advise, inform, and monitor, and, while it is still the organisation that bears the responsibility to comply with the GDPR, the DPO plays a fundamental role in ensuring the organisation’s accountability by creating an internal, additional layer of control over data processing practices.
Do you need a DPO?
The GDPR provides that a DPO must be appointed by:
- Public authorities. This includes public sector or hybrid bodies, such as museums, publicly funded transport companies and foundations, etc.
- Organisations that carry out large-scale systematic monitoring of individuals. This includes companies engaging in online behaviour tracking, profiling, etc.
- Organisations that carry out large-scale processing of special categories of data or data relating to criminal convictions and offences. This includes private clinics, most political analysis companies, etc.
If your organisation belongs to a corporate group, you may consider sharing the DPO function with your parent company or appoint one directly if your business is strongly based on personal data processing.
Even if no obligation exists for you under the GDPR to appoint a DPO, you may find it useful to designate a DPO on a voluntary basis. This is advisable especially in border-line cases, in which it is not entirely clear if your business fulfils the requirements for a compulsory appointment. In fact, voluntary appointments are encouraged by the EU as they contribute to strengthening the organisation’s compliance and accountability position in case of data-protection-related issues.
The challenges of appointing a DPO
Appointing the right person as a DPO comes with some challenges and related costs to meet the necessary eligibility requirements.
First, the DPO must be in a strictly independent position, and organisations must ensure that the tasks and duties of their DPOs do not result in conflicts of interests. Therefore, CEOs, most other C-level management positions, IT managers, HR officers, and even compliance officers or legal advisors are not supposed to perform these duties.
Second, the DPO must have a sound understanding of data protection law and EU law, combined with adequate knowledge of how data is processed technically. Such a combination of skills may prove difficult to find.
Third, hiring a DPO is currently expensive, due to high demand and relatively low offer of skilled professionals.
Finally, organisations must ensure that DPOs are constantly kept up-to-date through training and access to legal literature, and must provide them with the adequate tools to perform their duties.
What are the consequences of failing to comply with the GDPR requirement to appoint a DPO?
The GDPR introduces heavy fines on organisations that fail to comply with the new data protection rules.
Although the failure to comply with the DPO-related provisions may result in lower fines compared to those concerning non-compliance to the cornerstone rules of the Regulation (rights of the data subject, lawful bases of processing, etc.), the cost to which organisations are exposed is still relevant. Indeed, in this area, fines may be imposed up to EUR 10,000,000, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In addition, lacking a DPO removes a key layer of oversight over data protection practices in your organisation, which also raises the risk being found non-compliant with the cornerstone rules of the regulation due to lack of control.