GDPR Essentials: Data Protection Officers, What Are They and How Do You Get One?
With the implementation of the EU’s General Data Protection Regulation (GDPR) 10 weeks away, organizations are struggling to reach compliance before the deadline passes. The new legislation is meant to unify and standardize data protection regulations across the EU, simplifying compliance procedures across borders and giving EU data subjects an unprecedented level of control over their personal data.
For the first time, privacy, in its digital context, will be legally enforced by design and by default. Companies will be held responsible for any breach of privacy and hefty fines will be applied to data controllers and processors found to not have taken adequate measures to protect EU data subjects’ personal information.
The GDPR brings one additional significant change to its predecessor: certain companies will have to appoint a Data Protection Officer (DPO). But what will their duties be and which organizations are obliged to have one? Let’s find out!
What is a DPO and who needs one?
A Data Protection Officer or DPO is an employee or externally contracted entity designated to have a formal responsibility for data protection compliance within an organization. Countries such as Germany and the Philippines have already made it a legal obligation for certain types of companies to appoint a DPO.
Under the GDPR, there are three categories of organizations that are obligated to appoint a DPO:
- public authorities (except for courts acting in their judicial capacity);
- companies that carry out large scale systematic monitoring of individuals;
- companies that carry out large scale processing of special categories of data (health, gender, religion etc.) or data relating to criminal convictions and offences.
In Germany, existing data protection laws require every business with ten or more employees that permanently process personal data to appoint a DPO. Under the GDPR, there are no such specifications. What this essentially means is that even SMEs with fewer than 10 employees may be required to appoint a DPO. In a digital context, this makes sense: a three-person startup can develop a successful application that processes the information of millions of users across Europe.
While the European Article 29 Working Party (WP29) encourages all companies to appoint a DPO as a matter of good practice and to demonstrate compliance, it is worth keeping in mind that once a company appoints a DPO, even voluntarily, it is then obligated to comply with the full range of DPO requirement as listed in the GDPR.
Duties of a DPO
The duties of a DPO are listed under Article 39 of the GDPR and include among others:
- Monitoring compliance with the GDPR and other national data protection laws as well as policies instated by controllers or processors for the protection of personal data
- Conducting internal audits to ensure compliance
- Raising awareness within the company about compliance requirements
- Training staff involved in processing operations
- Acting as a liaison between the organization and supervisory authorities
- Managing internal data protection activities and advising on data protection impact assessments
Employees appointed internally or newly hired as DPOs, whether they hold additional roles or not, must maintain their independence in the discharging of DPO duties and not be penalized or dismissed for performing their tasks. Companies must not instruct them on how to perform their duties or interpret data protection law and must provide DPOs with adequate resources to ensure GDPR compliance. DPOs must also report directly to the highest management level.
Who can be a DPO?
With the GDPR deadline fast approaching, companies may feel some relief to find out that they can appoint a DPO internally or contract one externally. GDPR allows DPOs to “fulfil other tasks and duties”, meaning they can hold multiple positions, but there must not be a conflict of interest between these additional activities and their formal duties as DPO. C-level senior positions in this case are likely to conflict with DPO duties.
The GDPR does not mention any precise credentials that a DPO must have, but in the Guidelines on Data Protection Officers the Working Party 29 published, it is stated that DPOs must understand how to build, implement and manage data protection programs. Likewise, DPOs are not required to be lawyers, but must be experts in national and European data protection law and have a thorough knowledge of the GDPR. DPOs must also have an adequate level of understanding of the organization’s technical and organizational structure, data security and information technologies.
While companies may be tempted to appoint a DPO whether they need one or not, they might find themselves looking for a golden goose: the Indeed job search in Britain registered a 700% increase in DPO job listings in the last 18 months.
A study by the International Association of Privacy Professionals (IAPP) found that more than 28,000 DPOs would need to be appointed in Europe alone in order to comply with the GDPR. Data protection specialists are rare birds in the job market at the present moment, although no doubt the plethora of training programs that have cropped up since the GDPR was first announced is sure to produce a new generation of experts.