The EU is fully aware that with data protection being a major responsibility. Anything can easily slip through the small nooks and crannies which is why it is an ideal time for organizations – whether big or small – to invest in a Data Protection Officer (DPO).
Before we further discuss the DPO requirement, it is important to determine whether the GDPR applies to you.
The Regulation applies not only to businesses in Europe, but to any company that processes and stores personal data of EU residents (includes more than just the residents). “Personal data” is defined as any information that could be used to identify an individual, such as names, e-mail addresses, physical addresses, telephone numbers, etc. Note that the Regulation applies not only to customers but also to employees and contractors.
Which Companies need a DPO?
Article 37 of the GDPR states that a DPO is required for organisations in the following:
- public authorities
- carry out “large-scale systemic surveillance”process “sensitive”
- personal data such as criminal records
Many companies have questions about what constitutes “large-scale systemic surveillance”, as the Regulation does not provide specific guidance. If you have questions about whether your organisation falls into this category, please contact your legal adviser.
What is a DPO?
A DPO is a person authorised by the organisation to act as an independent advocate for compliance with the GDPR and for the appropriate use and protection of data subjects’ information in the EU.
But, you may ask, “Who can act as my DPO?” The GDPR provides some guidelines on who the organisation can choose as its DPO:
- They should appoint an individual on the basis of his or her professional qualities, in particular knowledge of data protection law and practice.
- The person you appoint may perform other duties, but should not have a conflict of interest.
- Your DPO can be an employee or a contractor.
- A group of organisations can “share” a DPO as long as the individual is accessible from each organisation.
What does the DPO do?
Article 39 of the GDPR lists some specific tasks of the DPO, including:
- providing advice on the Data Protection Impact Assessment (DPIA) and monitoring its implementation (see Article 35 for more information on the DPIA requirement)
- cooperate with and act as a focal point for supervisors
- Informing and advising the data controller and the data processor on GDPR compliance issues
- monitoring compliance with the Regulation and other data protection rules enforced by the EU or individual Member States as appropriate
Required Professional Qualities for a DPO
It does not specify exactly what qualifications are expected of them, but it says that they should be proportionate to the type of processing you carry out, taking into account the level of protection of personal data. The GDPR states that you should appoint a DPO on the basis of his or her professional qualities, in particular his or her experience and expertise in data protection law.
Thus, if the processing of personal data is particularly complex or risky, the DPO’s knowledge and skills should be advanced to ensure effective supervision. It would be an advantage if your DPO also has a good knowledge of your industry or sector, as well as your data protection needs and processing activities.
Should You Hire a DPO?
You should consider appointing a DPO for your business due to the following:
- Appointing a DPO shows customers and business partners that you are serious about protecting personal data, which increases the value you provide.
- If the EU changes the requirements so that your company needs a DPO in the future, you will be prepared for it.
- Many data protection experts describe GDPR as “the tip of the iceberg” in relation to other countries and regions considering similar arrangements. In these cases it is likely that GDPR will be used as a model. If at some point in the future you need a DPO in one of the regions where you do business, your organisation will be ahead of the curve. Not only will you have already filled the post, but you will also have a person on your team who is familiar with data protection law and can steer your preparedness plan to comply with the new regulation(s).
After all, having a data protection officer is simply good business. Data security is a major concern for all organisations and having a person specifically charged with securing your data can be a huge asset, even if it is not necessary.