Appointing a Data Protection Officer is a GDPR requirement for many companies
A Data Protection Officer (DPO) is a security leadership position that many companies and organizations will be required to fill before the General Data Protection Regulation (GDPR) goes into effect on May 25th. So what is a data protection officer?
A Data Protection Officer is your chief point of contact between your organization and its GDPR supervisory authority (a local authority tasked with overseeing compliance). The DPO is a lot like a Corporate Security Officer or a Corporate Information Security Officer — whatever you call the person who heads up your organization’s cyber security.
The one key difference is that a Data Protection Officer is primarily concerned with GDPR compliance. While all security officers are concerned with whatever local and national laws are applicable to them, the DPO’s first focus is the GDPR.
Who Needs a Data Protection Officer?
Article 37 of the General Data Protection Regulation covers the designation of the Data Protection Officer. It begins by laying out the criterion used to determine whether a company or organization needs to appoint a Data Protection Officer.
The controller and the processor shall designate a data protection officer in any case where:
the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
To rephrase that a little bit, this applies to you if:
- You are a public authority, with the exception of courts carrying out their regular judicial duties.
- Your data practices, as either a controller or a processor, consist of you maintaining regular, systematic monitoring of data subjects.
- You are processing special categories of personal data, or information regarding criminal offenses.
Here’s where things begin to get murky and you should err on the side of caution until some of these things get litigated: items two and three use the phrase “on a large scale” to define the threshold for both processing of special categories of data, along with regular and systematic monitoring of data subjects.
What is a Large Scale to the GDPR?
It doesn’t say. An earlier draft of the GDPR defined it as having 250 employees or processing >5,000 data records. Frankly, that’s not a great definition. But it’s better than nothing. Unfortunately the Member States and the European Parliament couldn’t even agree on that. So rather than improve it they just stripped it out of the the final draft of the GDPR.
Stuart Ritchie, a Privacy Lawyer and co-founder of GDPR 360 suggests caution when interpreting what “on a large scale” means:
If you’re processing Special Category data, then any non-zero number of data subjects arguably is large-scale.
If you’re not, then consider the position of a regulated professional dealing with the data. That is to say, a sole practitioner doctor, lawyer, accountant, or engineer (as appropriate) dealing with clients. If there are more data subjects than one professional practitioner ordinarily would handle as clients, then arguably it’s large scale.
What are Special Categories of Data?
As we covered, companies and organizations that are processing special categories of data “on a large scale” must appoint a Data Protection Officer. We already covered the uncertainty over what constitutes a “large scale,” fortunately defining what special categories of data means is much easier.
The GDPR classifies personal data into two categories. The lesser of the two is just your standard Personal Data, things like names, addresses, ID numbers, email addresses and usernames.
Special categories of data refer to information that could actually be damaging to a data subject should it be compromised. This includes:
- Racial or Ethnic origin
- Political opinions
- Religious or Philosophical beliefs
- Trade Union activity
- Genetic information
- Biometric Data
- Healthcare records
- Sexual orientation
- Gender identity
You actually need a legal basis just to process special categories of data in the first place. But if you do have one, and you’re processing on a “large scale,” you need to hire or appoint a Data Protection Officer.
What Qualifications does a DPO need to have?
Once again, the EU has provided little guidance on this topic. Despite devoting three articles to the role of the Data Protection Officer, this is as much guidance as the GDPR gives on qualifications to be a DPO:
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39.
That’s… not much to go on. Given the lack of guidance, here’s a few suggestions for qualifications your DPO should ideally have:
- Experience dealing with EU and global privacy laws
- A background in IT/Programming (signified by Information Security Standards certifications and privacy seals)
- Experience auditing information systems and assessing risk
It would also help if you could find someone with skills in negotiating, communicating and writing for both legal and technical purposes. And then of course you want to pick a winner, someone with proven leadership skills, a self-starter, good organization — that kind of stuff.
Finding one should be easy, right?
Does our DPO have to be an employee?
No. There are many arrangements that can be made if your organization can’t find or can’t afford a Data Protection Officer. Here are three alternative arrangements to having your own in-house DPO.
A Group of Undertakings
In Article 37, the GDPR states that a group of undertakings can appoint a single data protection officer provided that he or she is accessible from each establishment. Once again, this probably needs a little hashing out. Unfortunately, the GDPR defines a “group of undertakings” by repeatedly using the word “undertaking” in the definition itself. For anyone unfamiliar with European law, the word “undertaking” is what you need defined.
A group of undertakings would refer to a parent company and its subsidiaries. So, a parent company and its “undertakings” can all appoint the same DPO as long as that individual’s information is available on each site. Remember, you have to make your DPO’s information available so that data subjects can contact them.
A group of Public Authorities
Article 37 also allows for Public Authorities to group together and name a single Data Protection Officer. Obviously, as with the “undertakings,” the DPO’s information needs to be listed by each of the authorities in their privacy notices and on their privacy page.
The GDPR does require these public authorities to take account “of their organisational [sic] structure and size.” Again, what that means is not clearly defined but you can gather that the Navy and the Department of Agriculture would probably be ill-suited to share a data protection officer given their vast differences.
A Service Contract
Finally, Article 37 allows for organizations to enter into an agreement with a third-party that will fulfill the responsibilities of the DPO as part of a service contract. A word of caution about this option, though. As you will see shortly, your Data Protection Officer is charged with overseeing your GDPR compliance and reporting it back to your supervisory authority.
Given that much of GDPR compliance centers around strong data security practices, you will be giving a non-employee unprecedented access to your security implementations, your data flows and who knows whatever other proprietary information. You’ll also be giving them a considerable degree of autonomy. For some companies and organizations the risk associated with that might outweigh the benefits of having a DPO on a service contract.
What are the responsibilities of a Data Protection Officer?
Data Protection Officers are tasked with implementing and overseeing a lot. That’s why you want to find someone who will be good at the role, rather than leaving compliance (and the potential fines that come with screwing compliance up) to whoever volunteers. Or gets stuck with it. This is not that kind of position.
Your Data Protection Officer will need to be “properly” involved in all issues which relate to the protection of personal data. And your organization is required to furnish its DPO with the correct resources to carry out their responsibilities and maintain their expertise in this constantly evolving field.
And this is important: Your Data Protection Officer is in charge. It’s illegal to give “instructions,” which is a European way to church up “directions” or “commands.” Your DPO doesn’t take orders from anyone, and they report to the highest level of management in your organization.
In many ways the DPO is autonomous, acting in the best interest of data subjects and their data security. They are basically an advocate for data subjects. You cannot fire your Data Protection Officer for performing their duties. Even when that goes against your business interests.
The DPO will also be public facing, meaning that data subjects need to be able to contact them regarding their personal data and “the exercise of their rights under” the GDPR.
Article 39 gives a more specific list of the responsibilities of a Data Protection Officer.
- The DPO advises your company or organization about their obligations under the GDPR, as well as under local, state and national laws.
- The DPO monitors compliance with the GDPR, as well as any local, state and national regulations and laws, this includes:
- Assigning responsibilities
- Raising awareness
- Training Staff
- The DPO provides advice in performing Data Protection Impact Assessments (Article 35)
- The DPO maintains comprehensive records
- The DPO is the point of contact for your Supervisory Authority and must maintain a cooperative relationship with it.
Can a Data Protection Officer have other responsibilities?
Yes. The GDPR allows for the DPO to have other responsibilities as long as they do not conflict with the performance of their duties. But, at this point you’ve seen what a Data Protection Officer does, would you really want them to have their focus split between two different roles?
The answer to this question depends on some organizational calculus you’ll have to do for yourself. But we would advise finding a qualified candidate and making the data protection officer a full-time position.
What are the penalties for not having a DPO?
Shockingly, the GDPR does not clearly define the penalty for failing to appoint a Data Protection Officer, but we can gather some insight from Article 83 4(a):
Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
Article 39, as we discussed earlier, covers the duties of the Data Protection Officer. So while it doesn’t explicitly say the fine is for not having a DPO, if there’s nobody performing the DPO’s duties you owe the EU 10-million euros or 2% of your gross revenue — whatever’s greater.
And that’s only for the lack of a Data Protection Officer, assuming you also run a foul of the compliance obligations that no one is overseeing, it could be even more.
Should we hire a DPO even though we’re not required to?
Probably. If you’re really not processing much data or you’re running on a shoestring budget you may be fine without one. But if you can afford it, our advice would be to find a data protection officer or promote someone within your organization that’s qualified.
According to the National Cyber Security Alliance, 66% – two out of every three – of the SMBs (small and medium businesses) hit by a data breach goes out of business within six months. And now with the prospect of EU fines that start at 10,000,000 Euros looming, I’d be willing to wager that percentage might tick up even higher.
Don’t look at this as a requirement for the GDPR, look at it as the right thing to do for your organization’s health and security. You may not realize it, but getting breached or leaking customer data is an existential threat to your business. If the damage to your brand’s reputation doesn’t put you down for the count, fines and penalties from the EU and other government bodies might.
Don’t take risks like that. Use the need to become GDPR compliant as an opportunity to tighten up your security and become more responsible with the data you collect.
As always, if you have any questions or comments, leave them below. We are here to help.
Check out the rest of the Hashed Out GDPR Compliance Series
- GDPR: Introduction to a Series
- GDPR: How it affects the Domain Industry
- GDPR: How it affects Web Hosts
- GDPR: Problems for ICANN/WHOIS?
- GDPR: Complying with EU-US Privacy Shield
- GDPR: What is a Data Protection Officer?
- GDPR: Best Practices for Privacy Notices
- GDPR: What you need to know about Cookies
- GDPR: What is the Right to be Forgotten?
- GDPR: How to perform a Data Audit
- GDPR: Encryption Best Practices
- GDPR: When to report a Personal Data Breach
Don’t Get Breached
91% of cyber attacks start with an email. 60% of SMBs are out of business within six months of a data breach. Not securing your email is like leaving the front door open for hackers.