Determine How to Select your DPO and If You Need One

 “The choice to make good choices is the best choice you can choose. Fail to make that choice and on most choices, you will lose” – Ryan Lilly

 

The General Data Protection Regulation (GDPR) is a hot topic in boards of directors, and one of the questions that arises most frequently is whether a Data Protection Officer (DPO) should be hired, promoted or assigned; and if so, how a corporation should choose efficiently.

Related post: GDPR: Frequently Asked Questions

Disclaimer: This blog article was written by our compliance experts for general information and does not claim to provide legal advice. To understand the full context of your organization, please consult with a privacy compliance and/or legal professional.

 

What is a DPO?

According to the European Data Protection Supervisor, “the primary role of the data protection officer (DPO) is to ensure that [the] organization processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules”.

The DPO plays a critical part in your data privacy program and compliance. For large corporations, privacy obligations involve a vast array of international regulations, laws, standards and contractual agreements, often in a context of complex cross-border data transfers.

►Remember: The DPO is the maestro of this orchestra, and with fines as high as those of the GDPR, you better choose a talented and experienced one!

 

Why a DPO?

The nomination of a DPO has been a feature of the German Data Protection Law for more than 30 years already, and its inclusion in the GDPR speaks to the efficiency of this measure. The GDPR enforces this in several ways:

• Article 37 GDPR sets forth the situation in which a DPO must be designated. This can apply to both the controller and processor.
• 37, Section 4 GDPR enables the European Union (EU) and its Member States to adopt legislation that can require controllers, processors or associations and other bodies representing them to designate a DPO. This is one of the many opening clauses of the GDPR, allowing Member States to create additional requirements to those of the GDPR.

In line with the risk-based approach of the GDPR, the obligation to designate a DPO is connected to the nature of the data processing activity. It’s a case-by-case decision that must be documented and for which the corporation must be accountable.

►Remember: Appointing a DPO has nothing to do with the size of your company, your revenues or the number of employees who you have on payroll.

 

When do I need to appoint a DPO?

 There are at least two situations in which it is mandatory to designate a DPO:

1. Regular and Systematic Monitoring

= Applicable if your core activities consist of processing that requires the regular and systematic monitoring of data subjects (Note: A privacy lawyer should interpret what constitutes a core activity for your corporation.)

2. Special Categories of Personal Data

= Applicable if your core activities consist of processing a large scale of special categories of data, as listed in Article 9, Section 1 GDPR

 

What qualifications should I look for in a DPO?

The GDPR sets forth the requirements in terms of qualifications. This is not discretionary. Your DPO must have the following qualifications (Article 37, Section 5 GDPR):

• Expert knowledge of data protection law and practices, which is determined based on the complexity of your data processing activities
• The ability to fulfil the statutory responsibilities

According to ISACA, a DPO “needs a mix of skills and experience extending from data privacy into information risk management, relationship management, persuasive/negotiating skills, and the ability to operate at the highest levels within an organization”.

In other words, the mandatory requirement for your DPO is an interplay of legal, organizational and technical knowledge.

 

Can I have one DPO for a group of undertakings?

Yes, if the DPO is accessible from each establishment. In some cases, this may be recommended to facilitate intra-group processing. The legislator did not specify what is meant by “accessibility”, and it likely refers to technical and actual availability as opposed to geographic.

 

Can I designate a DPO voluntarily?

Of course! This designation can be a first and crucial step towards GDPR compliance and should not be overlooked, especially if your corporation is dealing with many national peculiarities.

►Be careful: Even if designated voluntary, the DPO will have to comply with the requirements of the GDPR and assume the statutory liabilities.

 

Can I outsource the DPO requirement?

Yes! The DPO can be an employee of your own corporation, or DPO services can be delivered through a service contract. Note that Art. 37 GDPR does not explicitly exclude legal persons, so you can work with a company for a DPO. The model that works best has to be determined based on your specific data processing activities, size, and budget.

Here are some practical considerations to keep in mind when choosing between an in-house DPO or an outsourced solution:

 

To be considered:

• Consider nominating your DPO for two (2) years to guarantee his or her independence. Indeed, DPOs must be independent and receive no instruction from your corporation in how they exercise their tasks (Article 38, Section 3, Phrase 1 GDPR).
• The DPO must be able to report directly to the highest management level but should only be obliged to do so when more significant data protection matters arise.
• The DPO cannot be in a conflict of interest, which means that the DPO cannot be in charge of determining the purposes and means of any data processing or ensuring the lawfulness of processing activities. This is why neither senior managers cannot be designated as Data Protection Officer nor the division heads of IT, marketing or HR.

 

Method to follow for the designation

Keep in mind that you must remain accountable:

1. Step 1: Eliminate any positions or job titles that are incompatible because of a conflict of interest. This list should be documented as part of internal rules on the designation of a DPO. These rules should define what is meant by conflict of interest from your corporation’s standpoint.
2. Step 2: Declare the independence of your DPO, such as to raise awareness around this requirement.
3. Step 3: Create safeguards to make sure that the internal rules and declaration of independence are enforceable.

 

This will allow you to demonstrate compliance with the GDPR requirements.

And don’t forget… The contact details of your DPO have to be published and communicated to the Supervisory Authority!