As part of our blog, from time to time we will share some of the most frequently asked questions that we receive from organizations across different industries regarding data privacy and security, and more specifically GDPR and CCPA. This is the first FAQ in our series.
What’s the Deal with the Data Protection Officer?
Not to be confused with a CPO (Chief Privacy Officer) or EU Representative, the role of data protection officer (DPO) has specific legal meaning under the GDPR. The primary role of a DPO is to ensure that the organization to which it is appointed processes the personal data of its staff, customers or any other individuals (i.e., data subjects) in accordance with applicable data protection rules. Many, but not all organizations subject to GDPR, are required to appoint a DPO, but given the unique nature of the DPO, the why, when and how of this topic is definitely at the top of our US clients’ FAQs.
Do we really have to appoint a DPO?
Many organizations assume that the requirement applies only to data controllers. This is not true. The requirement applies to both controllers and processors, and an organization must appoint a DPO under certain circumstances set forth in Article 37.
Most relevant to our clients is the second threshold: organizations that engage in (or rely on) large scale, regular and systematic monitoring of individuals (for example, online behavior tracking) in order to perform their core activities. Any organization that is subject to GDPR and processes personal data (not as a side hobby) should really perform a comprehensive analysis and weigh the risks of noncompliance with this requirement. Specific guidance from the former Article 29 Working Party contains useful factors to assess applicability and several examples, and it is quite clear that in this day and age, many tech companies, no matter the size, fall squarely into this category.
Of course, as a friendly reminder, failure to appoint a DPO (where it is required) is subject to administrative fines up to 10M EUR or 2% of global revenue of the preceding financial year, whichever is higher. But, as I explain below, there are some real advantages to appointing someone whose top priorities are essentially to (a) educate on and implement privacy-friendly measures and (b) let your organization know when it is dropping the ball on data protection. We can safely say that implementing proper planning and getting ahead of potential privacy-related issues is entirely better than dealing with privacy fails after the fact.
Note that if your organization determines that it is not required to designate a DPO because it does not meet the above criteria, documenting the analysis will demonstrate compliance with the accountability principle of the GDPR. It is highly recommended.
What’s so special about the DPO anyway?
When a DPO is appointed (whether on a mandatory or voluntary basis), he or she becomes responsible for all of the processing activities carried out by your organization, meaning that your organization cannot limit the role of the appointed DPO to a few cherry-picked data processing activities. If appointed, a DPO must have an independent and fully supported role reporting to the highest level in the company (i.e., the Board) in order to ensure compliance with applicable data protection rules. Among other things, this includes:
- Ensuring that all parties involved (i.e., controllers, data subjects, etc.) are informed of their rights, obligations and responsibilities;
- Advising the organization on the interpretation or application of the data protection rules to ensure compliance and accountability;
- Cooperating with the regulators in the event of any investigations, complaints, audits, etc.;
- Notifying the organization where it fails to comply with the applicable data protection rules.
The GDPR also sets out very specific rules regarding the DPO’s autonomy and support from within the organization. One point that comes up regularly in client discussions is that a DPO may not be dismissed or penalized by the organization for performing his or her data protection tasks just because there is a disagreement or dissent on the part of the DPO with respect to internal data-related measures, activities or products. Simply put, this is not your typical corporate officer, because the DPO’s primary allegiance is to data protection as a whole, and not just the organization to which he or she is appointed.
Do we really have to?
Here in the U.S., the question of whether to appoint a DPO comes up regularly with companies that are subject to the GDPR. In my experience, it is a loathed topic that C-level execs prefer to sweep under the rug or put on the back burner, despite its importance. When speaking with U.S. companies, I often sense an unspoken determination to categorically overlook the DPO provisions altogether by simply putting the discussion off to a later date. I suspect that this is due to several factors, including (a) the perceived lack of clarity as to when a DPO must be appointed (despite the above-mentioned guidance on the topic), (b) the cost of appointing a DPO and difficulty of identifying a competent one, (c) the DPO’s unusual status and autonomy within the organization, and (d) the role of DPO being perceived as one of ubiquitous data “cop” at odds with business purposes and goals.
While there may be some truth to the latter argument depending on where you stand, in this age of increased scrutiny from regulators and data subjects, a good DPO can actually be a boon for any organization handling personal data because a good DPO is a tremendously effective preventative tool when it comes to data protection. First, it may simply be mandatory, and complying with applicable law is always recommended. But more importantly, the EU notes that the DPO is a cornerstone of accountability and that appointing a DPO can facilitate compliance or even become a competitive advantage for businesses – and is fast becoming an industry standard. Today, providing privacy-friendly products, services and platforms are not only not optional given the increasing framework of global data protection regulations, but it is also what most individuals seek. Appointing a DPO shows a company’s willingness to move in this direction.
Finally, if you operate globally, data protection laws of other jurisdictions also require the appointment of an officer whose role and tasks are essentially equivalent or similar to the DPO (think South Korea or Brazil).
Instead of asking “do we really have to” companies should be asking “where do we find a good DPO?”