The General Data Protection Regulation (“GDPR”) introduces a new mandatory obligation for all companies who process personal data in certain specified circumstances to appoint a data protection officer (“DPO”). The DPO will be responsible for (amongst other things) monitoring an organisation’s compliance with the GDPR and reporting to the highest level of management on privacy-related issues.
What does the law require today?
Under the current EU Data Protection Directive 95/46/EC (“Directive“) there is no mandatory requirement for companies to appoint a DPO. However, Member States have the power to exempt companies that have appointed a DPO from the duty to register with the local data protection authority (“DPA”). Given the wide discretion for Member States to choose how (if at all) to implement this aspect of Directive, it has been approached in very different ways, resulting in a patchwork of divergent country-specific requirements
What will the General Data Protection Regulation require?
- Who must appoint a DPO?
Under the GDPR, both controllers and processors must appoint a DPO in certain specified circumstances. Earlier drafts of the GDPR text made this obligation mandatory only for companies with more than 250 employees. However the compromise version of the Regulation has no such restriction.
Article 37 makes it clear that the obligation to appoint a DPO applies:
- To all public authorities processing personal data (except for courts acting in their judicial authority); or
- Where the “core activities” of an entity involves “regular and systematic monitoring of data subjects on a large scale“; or
- Where the “core activities” of an entity involves “large scale” processing of “special categories of data” (such as data concerning health, racial or ethnic origin, political opinions, religious or philosophical beliefs, as defined in Articles 9 and 10).
We have yet to see any guidance on what is meant by “core activities” and “large scale“, but on the face of it, these requirements seems to broadly capture companies who deal in “big data”.
For the purposes of scenario 2, Recital 21 of the GDPR suggests that this scenario is only intended to capture companies engaged in online behaviour tracking or profiling activities (and only where such activities are core to the business) but importantly not all big data companies.
Similarly, scenario 3 probably captures (for example) cloud companies whose service offering is focussed on helping companies address their HIPPA compliance or on storing patient records for large public sector health authorities but not all big data companies processing special categories of data.
The GDPR therefore offers the possibility that many companies (e.g. cloud service providers) will not have to appoint a DPO if they are NOT undertaking any online behaviour tracking or profiling activities and/or processing any special categories of data. Even if they are undertaking such activities, they will not have to appoint a DPO, if they can show that such activities are not “core” to the business.
Member States will still have discretion to enact national provisions imposing further requirements regarding the appointment of DPOs. This discretion raises the possibility that local requirements in each Member State may be more stringent.
- Does the DPO need to have any particular qualifications or credentials?
The GDPR does not identify the precise credentials DPOs must carry, but does require that they have “expert knowledge of data protection law and practices.” A DPO may be either an employee of the organisation or an external third party providing DPO services.
- What duties does a DPO have?
Article 39 makes clear that the following tasks will form part of a DPOs role:
- Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other Union or Member State data protection laws.
- Monitoring compliance with the GDPR and other Union or Member State data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits.
- Advising with regard to data protection impact assessments.
- Serving as the contact point for, and cooperating with, the relevant DPA on issues relating to the processing of personal data.
- Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the “right to be forgotten”, and related rights.
- Do DPOs have any rights under the GDPR?
In addition to setting out the responsibilities of DPOs, the GDPR also grants certain rights and benefits in favour of DPOs. Companies will be required to provide DPOs with the necessary company resources to fulfil their job functions and for their own ongoing training. DPOs must also have access to the company’s data processing personnel and operations, significant independence in the performance of their roles, and a direct reporting line “to the highest management level” of the company. They are also shielded from dismissal or penalty for performing their tasks (an important consideration for an organisation when deciding whether to appoint a DPO from within its employee base, or whether to outsource the role to a third party provider of DPO services). Neither does the GDPR indicate that DPOs can be held personally liable in the context of a failure to perform their obligations. However, on the flip side, DPOs will also subject to certain statutory obligations, for example, to be bound by secrecy or confidentiality concerning the performance of their tasks and to ensure that other tasks and duties performed by them do not result in a conflict of interest.
- Can a group of organisations appoint a single DPO?
Provided that the DPO is easily accessible from each local European establishment, Article 37(2) provides that a “group of undertakings” (e.g. a parent company and its subsidiaries) may appoint a single DPO. There is, as yet, no guidance on what it means to be “easily accessible“. This requirement is likely to mean that the DPO must be resident in the EEA. The GDPR also allows the DPO function to be performed by a third party service provider, which is likely to generate a number of opportunities for consulting and legal firms to offer outside DPO services.
What are the practical implications?
- Big data companies whose core activities involve profiling activities or the processing of special categories of data on a large scale will almost certainly need to appoint a DPO when the new regime kicks in.
- The requirement for DPO’s to be experts, and the inevitable intersection of data protection laws with other national / sector-specific laws, may mean that companies with more complicated and sensitive data processing operations may encounter practical difficulties with relying on a single pan-European DPO. Instead, they may need to appoint senior and experienced regional DPOs (or teams of DPOs) with knowledge of local and sector-specific laws.
- Although the universe of privacy professionals is growing rapidly, there will very likely be a shortage of experienced DPOs.. Companies should therefore start thinking now about how to best recruit, train and resource a DPO, or, in the case of large companies, a DPO team.
- In larger companies and/or companies with more complex data processing operations, the resources required by DPOs will be significant. Companies should start to plan for the necessary resourcing requirements.