As we get closer to 2018, ensuring your organisation complies with the forthcoming General Data Protection Regulation (GDPR) is an increasingly pressing concern. Along with the changes to individuals’ rights and new requirements for consent, the GDPR also stipulates that, in some circumstances, you may be required to designate (or hire) a dedicated Data Protection officer (DPO).
In some European countries, hiring a DPO has been insisted (or strongly encouraged) for several years now. However, for those countries without any prior stipulations, it may soon be time to assign one. You won’t be the only one – a recent survey by the International Association of Privacy Professionals claimed that the EU would collectively need to hire in the region of 28,000 DPOs before 2018.
Here are some of the most frequently asked questions
1. What are the current laws relating to DPOs?
Under the current EU Data Protection Directive, it is not mandatory to appoint a DPO and the requirements can differ depending on the national laws of Member State.
2. Is my organisation requireed to designate a Data Protection Officer?
Once GDPR comes into force, some organisations will be required to appoint a DPO. These include:
- Public authorities that process personal data
- Entities whose “core activities” involve “regular and systematic monitoring of data subjects on a large scale”
- Entities whose “core activities” involve “large scale” processing of “special categories of data”. For example, data relating to health, ethnicity, political opinion or religious beliefs
- Those already obliged by local law (such as Germany), even if none of the above applies
Although specific details about what constitutes as “core activities” and “large scale” have not yet been stipulated, if your company works with Big Data, then you can assume that it applies to you. However, it has been speculated that an organisation that simply stores large amounts of data, without analysing, tracking or profiling it (cloud service providers, for example) may not need a DPO.
3. Will companies with multiple subsidiaries need more than one DPO?
A parent company with multiple subsidiaries may be able to appoint a single Data Protection Officer, under the condition that they are “easily accessible from each establishment”. Again, the definitive meaning on “easily accessible” has not yet been confirmed but take it to mean someone who resides within the European Economic Area (EEA)
4. My company isn't within the EU. Do we still need a DPO?
At the time of writing, the results of the UK’s EU Referendum is yet to be revealed, although your requirements are unlikely to change whatever the outcome. A non-EU based company will be subject to GDPR guidelines if your company:
- Is processing EU personal data
- Offers good or services to individuals in the EU
- Monitors the behaviour of individuals, as far as their behaviour takes place within the EU
5. What does a Data Protection Officer do?
A Data Protection Officer has the following tasks:
- Inform and advise your organisation and its employees of their obligations to comply with GDPR, as well as other Union or Member State data protection laws
- Monitor compliance with the Regulation and appropriate laws, including managing internal data protection activities, awareness raising and staff training, and conducting internal audits
- Provide advice where requested on data protection impact assessments
- Act as the organisation’s contact point for issues relating to the processing of personal data
- Respond to individuals whose data is being processed on all issues relating to data protection, withdrawal of consent, the right to be forgotten and other regulatory rights
6. Does a DPO require specific skills and/or credentials?
The GDPR does not specify the precise credentials, other than “expert knowledge of data protection law and practices.” The functions of a DPO role can be performed by either an employee or a third party service provider under a service contract, such as consultancy and legal firms.
7. Are there any other requirements?
A DPO’s employer must be supported by providing them the necessary resources to carry out their tasks and maintain their expert knowledge.
They must have access to the company’s data processing personnel and operations, as well as significant independence in the performance of their roles, along with a direct reporting line to the “highest management level”.
A DPO will be bound by secrecy of confidentiality concerning the performance of their tasks, and ensure that other tasks and duties they perform do not result in a conflict of interest.
DPOs are shielded from dismissal or penalty for performing their tasks, and the GDPR indicates that DPOs cannot be held personally liable in the context of a failure to perform their obligations.
8. What would happen if my company does not hire a DPO when GDPR is in force?
Non-compliance with new requirements could lead to potential fines up to 100 million EURO or 5% of annual worldwide turnover, whichever is greater.
9. Are there any other practical considerations?
As previously mentioned, with so many DPOs needed in such a limited amount of time, there is a real possibility of a skills shortage. Companies should be thinking about the recruitment or training of a Data Protection Officer now.
Also, with the aforementioned rules relating to dismissal, this should be considered when appointing a DPO from within your employee base or a third party provider.
Finally, companies who process complicated or sensitive data may encounter difficulties when GDPR laws intersect with national and/or sector-specific laws, demanding a more specialist DPO with the required knowledge.
The General Data Protection Regulation
A Practical Guide for Businesses
This White Paper, created by data protection specialists Opt-4, provides a thorough look at how GDPR will change existing laws, and offers suggestions for what you can do now to prepare for GDPR.
This White Paper also covers:
- The global scope of GDPR
- How GDPR will change consent, processing and profiling
- The new rights for data subject
- Guidelines for Data Protection Officers
- Liabilities, penalties and enforcements