Data Protection Officer (DPO)

Data Protection Officer (DPO)

The General Data Protection Regulation (GDPR) became fully effective on May 25, 2018.

It places new data protection obligations on companies performing business in the EU including IT security, anonymization, breach notification, and other issues that arise with handling personal data.

The GDPR act includes Data Protection Regulation (EC) No. 45/2001 which requires companies to retain a Data Protection Officer (DPO) to assist in regulatory compliance.

If you perform transactions or sell products or services in the EU, it's likely that you require a DPO in 2018.

This is an overview of this requirement from the GDPR act and how to comply with it so you avoid the steep fines and other penalties arising from the act.

What is a DPO?

Data Protection Officer

The Data Protection Officer or DPO is an individual designated by a company to assure compliance with the GDPR act. There are no requirements for the experience and education of this individual but a broad description that they have expert knowledge of data security practices.

The duties of a DPO are listed in the Article 39 of the GDPR regulation:

  • Educating data controllers, processors, and their employees of GDPR obligations and how to follow them.
  • Monitoring GDPR compliance by managing data protection practices, training employees, and auditing procedures.
  • Advising upper management of needed changes and developments with the laws.
  • Being a liaison between executives and upper managements to assure informed decision making on data security.
  • Being available to advise on protection practices including withdrawal of consent and other consumer rights regarding their data.

This places the DPO as a high-level legal compliance executive or an expert consultant if hired as an independent contractor.
Since finding the right person or consultant can be a significant time and financial investment, it's important to know whether hiring this individual is mandatory for your company.

Is a DPO mandatory?

Is a DPO mandatory?

If the core activities of your business involve any of the following, you'll need a DPO regardless of where your business is headquartered:

  • The regular and systematic monitoring of individuals in the EU on a large scale
  • The controlling/processing of special categories of data on a large scale from individuals in the EU
  • The controlling/processing of data related to criminal convictions and criminal offences from individuals in the EU

Special categories of data includes data related to sensitive personal information such as political opinions, religious beliefs, sexual orientation, racial or ethnic origin and health data.

Public authorities that process data from EU citizens will always need a DPO.

If you do not handle personal data, the DPO requirement does not apply to you.

Data Protection Regulation (EC) No. 45/2001 defines personal data as:

Definition of personal data under Data Protection Regulation

This definition of personal data is broader than US companies may be used to. So even if you feel all of your systems are in compliance, perform an internal audit.

The data you control may be considered personal under the EU requirements even if it avoids that categorization under the laws of your local jurisdiction.

If anything you collect falls under one of these categories, review the DPO compliance checklist below.

Checklist for DPO compliance

Checklist for DPO compliance

Here's what you can do to comply with the DPO requirements from the GDPR act:

  1. Assess your international reach
  2. Take a closer look at the data you collect/process

Assess your international reach

Your app or business may have a greater reach than you realize.

Unless you purposely and directly shutout the EU through your business, consumers from there can still access your products and services. That provides the link between you and the EU that may require compliance with the DPO requirement.

Also, realize that even small companies must comply. During the consideration of the regulation, there was a discussion on limiting the requirement to companies with more than 250 employees.

However, that did not survive the passage of the bill and so, even your recent startup that creates apps needs to consider compliance policies if you market and sell products to the EU - or use the platforms that make that possible.

Take a closer look at the data you collect/process

If the data you collect or process is done on a large scale and falls within one of the categories mentioned above, you'll need a DPO.

The DPO role

The role of the DPO

If your company already implemented a Privacy by Design approach, you likely already have a qualified individual on staff. With minor shuffling, it may be a matter of changing that individual's title and hiring additional employees to support them.

Review the duties of a DPP outlined above so you can make changes to their job description and make resources available to them to fulfill their obligations.

It's worth noting that there are no restrictions on whether a DPO must be hired in-house as an employee or retained as an outside consultant.

There are advantages and disadvantages to each approach:

  • In-house DPOs may have easier access to your company's resources.

    This is important when you consider that the DPO not only has a wide range of responsibilities but also specific rights.

    The DPO needs authority to use company resources to fulfill their duties and update their training and knowledge.

    Privacy laws can change quickly and you need to empower the DPO to stay informed.

    Your DPO also requires access to IT and security professionals to assess the quality of their performance.

    DPOs also stay in contact with managers who can effect changes if they become necessary. Many companies find maintaining a DPO in-house makes this communication scheme work much better.

    However, the DPO position also requires independence as well as discretion. That can be difficult to manage in some work environments.

  • Outside consultants offer this independence in addition to well-developed expertise.

    There's a third option.

  • Some companies err on the side of overkill and hire both an external and internal DPO.

    The internal DPO is available for day-to-day security considerations and that allows any problems to get addressed quickly.

    However, an external DPO can audit processes in a truly independent manner and offer expertise that may not be within the knowledge base of your internal officer.

    This is likely to enhance your compliance with the law and help you avoid penalties.

    In Germany, this approach is encouraged as it has proven to allow for maximum data protection.

Other Categories:

Jocelyn Mackie

Former civil litigation attorney. Content legal strategist.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.