Everything you need to know about the GPDR Data Protection Officer (DPO)
Under certain conditions, the GDPR requires organizations to appoint a Data Protection Officer. In this article, we go over the profile and duties of this type of GDPR officer.
The purpose of the General Data Protection Regulation (GDPR) is to safeguard personal data on the Internet. To this end, the GDPR requires most organizations that handle people’s private information to appoint an employee charged with overseeing the organization’s GDPR compliance. The Data Protection Officer, or DPO, is an organization’s GDPR focal point and will have to possess expert knowledge of data protection law and practices. (If you need a primer on the GDPR itself and some of the key terms, check out our article “What is the GDPR?”)
Below we explain how the GDPR defines the position of Data Protection Officer, including the tasks and responsibilities that come with the post, the skills it requires, and what types of organizations are required to have one. Hiring a DPO may be necessary for your organization to avoid heavy penalties, up to 4 percent of global revenue or €20 million.
What does a GDPR Data Protection Officer do?
According to Article 38, which establishes the position of the DPO, “The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.” Article 38 goes on to state that other employees in the organization aren’t allowed to issue any instructions to the DPO regarding the performance of their tasks. So, not only does the DPO have wide-ranging responsibilities, but the position is shielded from potential interference from the organization. Finally, the DPO is bound by confidentiality in the performance of their tasks and will only report directly to the highest level of management at the organization.
Between Articles 38 and 39, the GDPR assigns six major tasks to the DPO:
- To receive comments and questions from data subjects related to the processing of their personal data and the GDPR.
- To inform an organization and its employees of their obligations under the GDPR and any other applicable EU member state data protection provisions.
- To monitor an organization’s compliance with the GDPR and any other applicable EU member state data protection provisions, train staff on compliance, and perform audits.
- To perform data protection impact assessments (Article 35).
- To cooperate with the data protection supervisory authority.
- To act as the focal point for the data protection supervisory authority on matters relating to the processing of personal data and other matters, where appropriate.
In practice, the scope of the GDPR Data Protection Officer’s job means this is not a position for a junior associate. A DPO must have the technical expertise to conduct GDPR assessments and a legal understanding of privacy laws in all jurisdictions in which their organization operates. They must be as at home advising executives on what data protection strategy to adopt as explaining the vagaries of the GDPR to entry level staff and customers. And given the DPOs independence and the rapid pace of technological developments, any prospective DPO must be a self-starter, willing to stay up to date with tech and GDPR news and work with minimal guidance and oversight.
Do you need a Data Protection Officer?
All organizations, regardless of the type or size, that handle EU residents’ personal information should have someone in the organization who is tasked with monitoring GDPR compliance (part of the “organizational measures” referred to in Article 25). That said, hiring an actual Data Protection Officer is only required by the GDPR if you meet one of three criteria:
- Public authority — The processing of personal data is done by a public body or public authorities, with exemptions granted to courts and other independent judicial authorities.
- Large scale, regular monitoring — The processing of personal data is the core activity of an organization who regularly and systematically observes its “data subjects” (which, under the GDPR, means citizens or residents of the EU) on a large scale.
- Large-scale special data categories — The processing of specific “special” data categories (as defined by the GDPR) is part of an organization’s core activity and is done on a large scale.
There are a lot of vague terms here. The final draft of the GDPR neglects to define what processing as a “core activity” or on a “large scale” means. The European Commission’s Guidelines on Data Protection Officers provides some hints, but there are still no hard and fast rules. According to the guidelines, a “core activity” can be considered as:
the key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms as inextricable part of the controller’s or processor’s activity. For example, processing health data, such as patient’s health records, should be considered as one of any hospital’s core activities and hospitals must therefore designate DPOs.
The guidelines also list the factors that an organization must consider when deciding whether they perform data processing on a “large scale.” They are:
- the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
- the volume of data and/or the range of different data items being processed;
- the duration, or permanence, of the data processing activity;
- and the geographical extent of the processing activity.
The guidelines also list several examples of large-scale processing, including the processing of patient data by a hospital, the processing of customer data in the regular course of business by a bank, or the processing of personal data for behavioral advertising by a search engine.
Thus an organization may be conducting data processing on a large scale even while the organization itself is of relatively modest size. For smaller organizations, it may not be feasible to hire a full-time DPO. In this case, a DPO can be hired or shared among several smaller organizations, provided the DPO is easily accessible by each organization and can effectively carry out their duties for each organization. Conversely, if an organization is too large for a single DPO working alone to handle all the duties, it may be necessary to provide the DPO with support staff. The GDPR allows for both situations.
What are the qualifications of a GDPR Data Protection Officer?
The importance and breadth of the DPO’s duties make finding a qualified candidate an essential step in GDPR compliance. While the GDPR does not list specific qualifications, it does stipulate that the level of knowledge and experience required of an organization’s DPO must be determined according the complexity of the data processing operations being carried out. When evaluating a candidate or creating a job listing for the position, these are some of the most important qualifications to keep in mind:
- Significant (over 5 years) experience working with EU and global privacy laws, including drafting of privacy policies, technology provisions, and working on compliance
- Significant experience working with IT programming or infrastructure, including certification in information security standards
- Significant experience in performing audits of information systems, attestation audits and risk assessments
- Demonstrated leadership skills achieving stated objectives coordinating with a diverse set of stakeholders and managing multiple projects at once
- Demonstrated ability to continuously coordinate with multiple parties and supervisors while maintaining independence
- Demonstrated communication skills to address different audiences, from the board of directors to data subjects, from managers to IT staff and lawyers
- Demonstrated self-starter with ability to gain required knowledge in dynamic environments and remain up-to-date on cutting-edge developments
- Demonstrated record of engaging with emerging laws and technologies
- Experience in legal and technical training and in awareness raising
- Experience in dealing successfully with different business cultures and industries
How to hire a Data Protection Officer
Because your DPO will need close knowledge of how your organization processes and protects its data and its legal obligations, a logical starting point for recruiting would be your own IT or legal department. In particular, the duties of the Chief Data Officer are similar to that of a DPO. Once a competitive internal candidate is identified, they should receive trainings or certification on the GDPR. While the GDPR will create certification bodies in the near future, organizations such as the International Association of Privacy Professionals (IAPP) and the Association of Data Protection Officers already offer courses on data security and privacy.
Recruiting a DPO from outside your organization will require persistence. The IAPP estimates there will be a demand for 28,000 Data Protection Officers in 2018. That level of need should far outpace the availability of highly qualified candidates, making your search for a DPO especially challenging. Larger organizations should consider recruiting at any of the larger European technology fairs, such as the CEBIT festival in Berlin or the InfoSecurity Show in London. Smaller organizations should consider their actual needs and look into paying for a managed recruitment service.