Does your Company Need a Data Protection Officer?
With exactly 60 days to go before the EU’s General Data Protection Regulation takes effect on 25 May 2018, one of the most urgent questions facing companies is whether they need to appoint a DPO. This is important, because DPOs are in short supply and the recruitment process may take months.
A DPO’s primary role is to encourage a data protection culture within the company and to monitor compliance with the GDPR. The DPO also acts as the company’s contact point for the data protection authorities.
The main circumstances in which a company is required to appoint a DPO are where its core data processing activities include:
(a) monitoring individuals systematically and on a large scale (e.g. tracking or profiling individuals on the internet), or (b) processing special categories of personal data (i.e. relating to racial or ethnic origin, political opinions (e.g. the election-related analysis carried out by Cambridge Analytica), religious or philosophical beliefs, or trade union membership, genetic or biometric data, health, sex life or sexual orientation, on a large scale.
If either of these criteria are met, then it does not matter how small the company is – it needs a DPO. However, many companies’ main data processing operations are restricted to an HR database and a CRM system, and they do not meet the above criteria. Nevertheless, the data protection authorities have also issued formal guidelines which encourage the voluntary appointment of a DPO.
In practice, the requirement to appoint a DPO is likely to be a heavy burden on SMEs. A DPO must possess expert knowledge, have obtained relevant professional qualifications, must be independent (e.g. not an employee from the IT department, because a DPO may need to assess what data protection measures are being taken by IT) and must report to the highest level of management. Demand for such senior personnel is likely to exceed supply which will drive up salaries.
The good news is that companies are able to outsource the DPO role to appropriate experts, which provides the necessary degree of independence and expertise. This may be a cost-effective option for a company which only needs a part-time DPO resource.
Companies should carry out a careful internal analysis to determine whether a DPO is to be appointed and they should keep records of that Analysis.
Note: Certain countries have even stricter requirements, e.g. Germany, where a DPO is mandatory if more than nine persons are regularly involved in the automated processing of personal data.
Iain Jacobs is a lawyer and an IAPP-certified Information Privacy Professional (CIPP/E) and Information Privacy Manager (CIPM).
A DPO’s primary role is to encourage a data protection culture within the company and to monitor compliance with the GDPR. The DPO also acts as the company’s contact point for the data protection authorities.
The main circumstances in which a company is required to appoint a DPO are where its core data processing activities include:
(a) monitoring individuals systematically and on a large scale (e.g. tracking or profiling individuals on the internet), or (b) processing special categories of personal data (i.e. relating to racial or ethnic origin, political opinions (e.g. the election-related analysis carried out by Cambridge Analytica), religious or philosophical beliefs, or trade union membership, genetic or biometric data, health, sex life or sexual orientation, on a large scale.
If either of these criteria are met, then it does not matter how small the company is – it needs a DPO. However, many companies’ main data processing operations are restricted to an HR database and a CRM system, and they do not meet the above criteria. Nevertheless, the data protection authorities have also issued formal guidelines which encourage the voluntary appointment of a DPO.
In practice, the requirement to appoint a DPO is likely to be a heavy burden on SMEs. A DPO must possess expert knowledge, have obtained relevant professional qualifications, must be independent (e.g. not an employee from the IT department, because a DPO may need to assess what data protection measures are being taken by IT) and must report to the highest level of management. Demand for such senior personnel is likely to exceed supply which will drive up salaries.
The good news is that companies are able to outsource the DPO role to appropriate experts, which provides the necessary degree of independence and expertise. This may be a cost-effective option for a company which only needs a part-time DPO resource.
Companies should carry out a careful internal analysis to determine whether a DPO is to be appointed and they should keep records of that Analysis.
Note: Certain countries have even stricter requirements, e.g. Germany, where a DPO is mandatory if more than nine persons are regularly involved in the automated processing of personal data.
Iain Jacobs is a lawyer and an IAPP-certified Information Privacy Professional (CIPP/E) and Information Privacy Manager (CIPM).