“The choice to make good choices is the best choice you can choose. Fail to make that choice and on most choices, you will lose” – Ryan Lilly
The General Data Protection Regulation (GDPR) is a hot topic in boards of directors, and one of the questions that arises most frequently is whether a Data Protection Officer (DPO) should be hired, promoted or assigned; and if so, how a corporation should choose efficiently.
Related post: GDPR: Frequently Asked Questions
Disclaimer: This blog article was written by our compliance experts for general information and does not claim to provide legal advice. To understand the full context of your organization, please consult with a privacy compliance and/or legal professional.
According to the European Data Protection Supervisor, “the primary role of the data protection officer (DPO) is to ensure that [the] organization processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules”.
The DPO plays a critical part in your data privacy program and compliance. For large corporations, privacy obligations involve a vast array of international regulations, laws, standards and contractual agreements, often in a context of complex cross-border data transfers.
►Remember: The DPO is the maestro of this orchestra, and with fines as high as those of the GDPR, you better choose a talented and experienced one!
Register for our upcoming live webinar "Beyond GDPR: Implementing a Comprehensive Privacy Compliance Program" on Tuesday, April 24 at 2 pm ET.
The nomination of a DPO has been a feature of the German Data Protection Law for more than 30 years already, and its inclusion in the GDPR speaks to the efficiency of this measure. The GDPR enforces this in several ways:
In line with the risk-based approach of the GDPR, the obligation to designate a DPO is connected to the nature of the data processing activity. It’s a case-by-case decision that must be documented and for which the corporation must be accountable.
►Remember: Appointing a DPO has nothing to do with the size of your company, your revenues or the number of employees who you have on payroll.
There are at least two situations in which it is mandatory to designate a DPO:
= Applicable if your core activities consist of processing that requires the regular and systematic monitoring of data subjects (Note: A privacy lawyer should interpret what constitutes a core activity for your corporation.)
= Applicable if your core activities consist of processing a large scale of special categories of data, as listed in Article 9, Section 1 GDPR
The GDPR sets forth the requirements in terms of qualifications. This is not discretionary. Your DPO must have the following qualifications (Article 37, Section 5 GDPR):
According to ISACA, a DPO “needs a mix of skills and experience extending from data privacy into information risk management, relationship management, persuasive/negotiating skills, and the ability to operate at the highest levels within an organization”.
In other words, the mandatory requirement for your DPO is an interplay of legal, organizational and technical knowledge.
Yes, if the DPO is accessible from each establishment. In some cases, this may be recommended to facilitate intra-group processing. The legislator did not specify what is meant by “accessibility”, and it likely refers to technical and actual availability as opposed to geographic.
Of course! This designation can be a first and crucial step towards GDPR compliance and should not be overlooked, especially if your corporation is dealing with many national peculiarities.
►Be careful: Even if designated voluntary, the DPO will have to comply with the requirements of the GDPR and assume the statutory liabilities.
Yes! The DPO can be an employee of your own corporation, or DPO services can be delivered through a service contract. Note that Art. 37 GDPR does not explicitly exclude legal persons, so you can work with a company for a DPO. The model that works best has to be determined based on your specific data processing activities, size, and budget.
Here are some practical considerations to keep in mind when choosing between an in-house DPO or an outsourced solution:
[table id=23 /]
Keep in mind that you must remain accountable:
This will allow you to demonstrate compliance with the GDPR requirements.
And don’t forget… The contact details of your DPO have to be published and communicated to the Supervisory Authority!