The five-year process since the passage of the General Data Protection Regulation (GDPR) is soon coming to an end, and organizations across the globe are now clamoring to prepare for the several new requirements surrounding data collection and processing. One requirement in particular has been arguably the most debated and amended provision throughout the legislative […]
The five-year process since the passage of the General Data Protection Regulation (GDPR) is soon coming to an end, and organizations across the globe are now clamoring to prepare for the several new requirements surrounding data collection and processing. One requirement in particular has been arguably the most debated and amended provision throughout the legislative process of the GDPR; this obligation calls for staffing, something that is yet to be seen in European law outside Germany – specific organizations will have to employ, appoint or contract a designated data protection officer (DPO) by the time the regulation comes into force in May 2018.
The GDPR has made it mandatory for any organization that controls or processes large volumes of personal data, including public bodies – with the exemption of courts, to appoint a DPO. This requirement is not limited to large organizations; GDPR states that as long as the activities of the processor or controller involves the ‘systematic and regular monitoring of data subjects on a grand scale’ or where the entity carries out large scale processing of particular categories of personal data such as data that details things like race, religious beliefs, or ethnicity, they must comply to this requirement. This basically means that even sole trades who handle certain types of data may have to hire a DPO.
A DPO may be appointed to act on behalf of a group of public authorities or companies, depending on the size and structure. A scope in the regulation allows for EU member states to specify additional circumstances for the appointment of a DPO. For example, in Germany, every business with more than nine employees and permanently process personal data have to appoint a DPO.
A data protection officer is a position within an organization that independently advocates for the responsible use and protection of personal data. The role of Data Protection Officer is a fundamental part of the GDPR’s accountability-based approach. The GDPR necessitates that a DPO is responsible for liaising with end-users and customers on any privacy related requests, liaising with the various data protection authorities, and ensuring that employees remain informed on any updates regarding data protection requirements. The DPO has to have expert knowledge of data protection practices and laws, on top of having a solid understanding of the company’s organizational and technical structure.
The Controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
Article 39, GDPR
The DPO is mainly responsible for ensuring a company is compliant with the aims of the GDPR and other data protection policies and laws. This responsibility may include setting rational retention periods for personal data, developing workflows that facilitate access to data, clearly outlining how collected data is anonymized, and monitoring all these systems to make sure they work towards the protection of personal data. Additionally, the DPO should also be available for inquiries on issues related to data protection practices, the right to be forgotten, withdrawal of consent and other related rights the GDPR grants them.
The GDPR affords the data protection officer several rights on top of their responsibilities. The company is obligated to provide any resources the DPO asks for, or requires to fulfill their role and ongoing training. They should have full access to the company’s data processing operations and personnel, a considerable amount of independence in the execution of their tasks, and a direct reporting line to the highest level of management within the company. GDPR expressly prevents the dismissal of the data protection officer for executing their tasks and puts no limitation on the length of their tenure.
Currently most organizations already have Chief Information Officer (CIO), Chief Data Officer, or CISO roles; however, these roles are different from the DPO role. The holders of these positions are typically responsible for ensuring the company’s data is safe, and ensuring the data a company collects is being used to enhance business processes across the organization. The DPO on the other hand mainly works to ensure the customer’s privacy. This means that instead of retaining ‘valuable’ data indefinitely, or exploiting insights collected in one business line to imbue another; the DPO is there to make sure only the minimum data required to complete a process is collected and subsequently retained. GDPR creates a huge demand for DPOs, but the job itself is far from easy.
The GDPR doesn’t specify the exact credentials a DPO should have. The role in itself is somewhat multi-faceted, in the sense that advising on obligations under GDPR is a legal role, while monitoring compliance falls under audit. Additionally, the data protection impact assessment is more of a privacy specialist role, and the working closely with a supervisory authority demands an understanding of how the authority works.
I. Level of expertise – A DPO must poses a level of expertise that is comparable to the complexity, sensitivity and volume of data the company processes. A high level understanding of how to develop, implement and manage data protection programs is crucial. These skills should be founded upon a vast-ranging experience in IT. The DPO should also be able to demonstrate an awareness of evolving threats and fully comprehend how modern technologies can be used to avert these threats.
II. Professional qualities – A DPO doesn’t have to be a lawyer, but they have to be experts in European and national data protection law, this includes an in-depth knowledge of the GDPR. They should be able to act in an independent manner. This points towards the need for a mature professional who can build client relationships while ensuring compliance without taking an adversarial position.
III. Ability to execute tasks – The DPO has to be able to demonstrate high professional ethics, integrity, leadership and project management experience; to be able to request, mobilize and lead the resources needed to fulfill their roles.