29 June 2019
The General Data Protection Regulation (GDPR) became fully effective on May 25, 2018.
It places new data protection obligations on companies performing business in the EU including IT security, anonymization, breach notification, and other issues that arise with handling personal data.
The GDPR act includes Data Protection Regulation (EC) No. 45/2001 which requires companies to retain a Data Protection Officer (DPO) to assist in regulatory compliance.
If you perform transactions or sell products or services in the EU, it's likely that you require a DPO in 2018.
This is an overview of this requirement from the GDPR act and how to comply with it so you avoid the steep fines and other penalties arising from the act.
The Data Protection Officer or DPO is an individual designated by a company to assure compliance with the GDPR act. There are no requirements for the experience and education of this individual but a broad description that they have expert knowledge of data security practices.
The duties of a DPO are listed in the Article 39 of the GDPR regulation:
This places the DPO as a high-level legal compliance executive or an expert consultant if hired as an independent contractor.
Since finding the right person or consultant can be a significant time and financial investment, it's important to know whether hiring this individual is mandatory for your company.
If the core activities of your business involve any of the following, you'll need a DPO regardless of where your business is headquartered:
Special categories of data includes data related to sensitive personal information such as political opinions, religious beliefs, sexual orientation, racial or ethnic origin and health data.
Public authorities that process data from EU citizens will always need a DPO.
If you do not handle personal data, the DPO requirement does not apply to you.
Data Protection Regulation (EC) No. 45/2001 defines personal data as:
This definition of personal data is broader than US companies may be used to. So even if you feel all of your systems are in compliance, perform an internal audit.
The data you control may be considered personal under the EU requirements even if it avoids that categorization under the laws of your local jurisdiction.
If anything you collect falls under one of these categories, review the DPO compliance checklist below.
Here's what you can do to comply with the DPO requirements from the GDPR act:
Your app or business may have a greater reach than you realize.
Unless you purposely and directly shutout the EU through your business, consumers from there can still access your products and services. That provides the link between you and the EU that may require compliance with the DPO requirement.
Also, realize that even small companies must comply. During the consideration of the regulation, there was a discussion on limiting the requirement to companies with more than 250 employees.
However, that did not survive the passage of the bill and so, even your recent startup that creates apps needs to consider compliance policies if you market and sell products to the EU - or use the platforms that make that possible.
If the data you collect or process is done on a large scale and falls within one of the categories mentioned above, you'll need a DPO.
If your company already implemented a Privacy by Design approach, you likely already have a qualified individual on staff. With minor shuffling, it may be a matter of changing that individual's title and hiring additional employees to support them.
Review the duties of a DPP outlined above so you can make changes to their job description and make resources available to them to fulfill their obligations.
It's worth noting that there are no restrictions on whether a DPO must be hired in-house as an employee or retained as an outside consultant.
There are advantages and disadvantages to each approach:
In-house DPOs may have easier access to your company's resources.
This is important when you consider that the DPO not only has a wide range of responsibilities but also specific rights.
The DPO needs authority to use company resources to fulfill their duties and update their training and knowledge.
Privacy laws can change quickly and you need to empower the DPO to stay informed.
Your DPO also requires access to IT and security professionals to assess the quality of their performance.
DPOs also stay in contact with managers who can effect changes if they become necessary. Many companies find maintaining a DPO in-house makes this communication scheme work much better.
However, the DPO position also requires independence as well as discretion. That can be difficult to manage in some work environments.
Outside consultants offer this independence in addition to well-developed expertise.
There's a third option.
Some companies err on the side of overkill and hire both an external and internal DPO.
The internal DPO is available for day-to-day security considerations and that allows any problems to get addressed quickly.
However, an external DPO can audit processes in a truly independent manner and offer expertise that may not be within the knowledge base of your internal officer.
This is likely to enhance your compliance with the law and help you avoid penalties.
In Germany, this approach is encouraged as it has proven to allow for maximum data protection.