GDPR, Part III: The Data Protection Officer Requirement
By: Christopher E. Ballod and Jay F. Kramer
This seven-part series analyzes the ways in which the forthcoming General Data Protection Regulation (GDPR), effective May 25, 2018, will impact the regulatory landscape for entities doing business with or transacting in the data of European Union citizens. The first part of this series provided an overview of the history of pre-GDPR European data protection law. The second installment focused on the GDPR’s breach notification requirements. The third installment, below, addresses when and how a data protection officer (DPO) may need to be appointed under the GDPR. Future installments of this series will address discrete additional aspects of the new regulation helpful to entities seeking to maintain an appropriate organizational compliance posture.
The Data Protection Officer Requirement
Under Article 37 of the GDPR, both data controllers (a person or entity that determines why and how personal data will be processed) and data processors (the person or entity that processes personal data on behalf of the controller) are required to appoint a DPO. Although working drafts of the GDPR created an exception to the DPO requirement for entities with less than 250 employees, that exception was dropped from the final regulation.
Article 37 sets out three conditions that, if present, trigger the DPO appointment requirement:
- The entity is a "public authority or body;" or
- "Core activities" of the entity include the "regular and systematic monitoring of data subjects on a large scale" (the term "regular and systematic monitoring of data subjects on a large scale" is not further defined, but examples may include processing of customer data in the regular course of business by financial institutions or insurance companies); or
- "Core activities" of the entity "consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10." The "special categories of data" are defined in Article 9 of the GDPR and include such broad data sets as racial or ethnic origin, political opinions, and religious or philosophical beliefs.
The only guidance the GDPR has offered so far is that the "regular and systematic monitoring of data subjects on a large scale" means “processing a considerable amount of personal data at regional, national, or supranational level and which could affect a large number of data subjects,” in contrast to medical professionals processing personal data about patients or attorneys processing clients’ personal data. The guidance also suggests that “core activities” are those business processes that are a company’s primary activities. So an automobile manufacturing company processing employee health data, even for large numbers of employees, would not consider the processing activity a “core activity.”
Will U.S. firms also need to appoint a DPO?
The European Union Article 29 Working Party's December 2016 WP 243 Guidelines on DPOs indicate that U.S. businesses whose operations trigger GDPR compliance will also have to comply with the DPO requirement. In addition, even if a U.S. entity is exempt from the DPO requirement, the guidelines state that the appointment of a DPO is a matter of good practice. Accordingly, businesses without a DPO are more likely to face unfavorable regulatory enforcement in the event of a breach. Also, those without a DPO are also more likely to face a finding of liability in the event of litigation. Therefore, many U.S. companies may make the business decision to appoint a DPO, whether or not strictly required to do so. In addition, as the U.S. market continues its focus on third party vendor management, the guidelines will also cause many GDPR-compliant companies to force suppliers and other vendors to appoint DPOs.
What are the qualifications to serve as a DPO?
The DPO must be an individual with “knowledge of data protection law and practices” with a level of expertise that “should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.” Beyond this guidance as to the expertise requirement, the GDPR is silent as to any credentialing requirement. However, the guidelines state that the DPO "shall be designated on the basis of professional qualities and, in particular, expert knowledge in data protection law and practices." In short, it is all but stated that the DPO must be a legally-trained professional.
To whom should a DPO report?
The DPO's role spans the organizational structure with Article 38's requirement that the DPO be involved in "all issues which relate to the protection of personal data." The DPO must have a direct reporting line to senior management. According to the guidelines, the DPO should be given an independent budget and staff, should attend meetings of the senior management, and should be involved in all matters of data governance assessment and incident response including communications with regulatory officials.
The DPO is to be independent and insulated from the organizational repercussions for actions taken within the scope of her or his role. Article 38 insulates the DPO from dismissal as reprisal, stating that "[h]e or she shall not be dismissed or penalized by the controller or the processor for performing his tasks." Additionally, the DPO is afforded a cloak of "secrecy or confidentiality concerning the performance of his or her tasks" when communicating with data subjects. The larger organization is forbidden from instructing the DPO regarding the "exercise of [his or her] tasks." Finally, the DPO's independence must be protected from any conflict of interest with any unrelated employment roles.
What does the DPO actually do?
The day-to-day activities of the DPO are not surprising. In short, the DPO is to provide information, advice, and monitoring across the business regarding the obligations imposed by GDPR and other data protection laws. This includes training, facilitating internal and external audits, managing the data protection program including interface with regulatory authorities, and participating in Article 35 data protection impact assessments.
The DPO role could also include performing these tasks for a series of subsidiaries and related entities if the company decides to appoint a single DPO, or supervising these tasks if individual DPOs are appointed for each discrete entity in the corporate umbrella. The DPO may also be tasked with interfacing with legal counsel when addressing the suitability of the contracts and safeguards put into place with the third-party service providers, vendors, and suppliers of the company.
What impact will the new DPO requirement likely have on an organization?
The role of a DPO is likely more expansive in scope and scale than the current role of a privacy professional in most organizations subject to the GDPR. This requirement will therefore force companies to decide whether to build the robust and independent DPO office envisioned by the GDPR, or to outsource the DPO role to law firms or outside counsel that would need to be more deeply integrated into the organizational structure of a GDPR-compliant entity. In any event, the DPO requirement presents many serious decisions for all GDPR-compliant organizations going forward.