The newly codified position of data protection officer ("DPO") is creating sleepless nights for many of our clients. Whilst data-savvy organisations may already have such an individual (or team), the GDPR makes it clear that it has a particular role in mind: compliance officer, expert, PR liaison and strategist. Clearly it will no longer be ok for the DPO to be 'Steve from IT' or whoever was on holiday when the job was handed out!
The new concepts and typically woolly wording in the GDPR meant that Article 29 Working Party ("WP29") guidance on the matter was eagerly awaited. The draft guidance from December 2016 answered several questions but left others open. The final version, adopted 5 April 2017, makes things ever so slightly clearer. As is so often the case with guidance, we're left with interpretations and explanations which challenge business as usual. Those new to DPOs are left thinking, whilst those with German operations (where a DPO is often mandatory today) are a little less perturbed.
What does the guidance cover?
Data controllers (and for the first time, data processors) who have core activities that involve regular and systematic monitoring (or processing sensitive data) on a large scale will be required to appoint a DPO under the GDPR. Guidance sheds more light on these parameters:
These are the key operations necessary to achieve a business's goals. It does not include ancillary activities (eg payroll) but does include processing which forms an inextricable part of a business's activity. The WP29 suggested an example of a hospital: the core activity is to provide healthcare, but this could not be done without the processing of patients' health data.
Regular and systematic monitoring
The WP29 interprets 'regular' as ongoing or occurring at intervals, repeated at fixed times and/or constantly taking place. 'Systematic' means occurring according to a system and/or carried out as part of a strategy. Internet tracking and behavioural advertising are clearly caught as are offline activities such as loyalty programmes.
The guidance does not set a number for what would be considered 'large scale' but provided a list of factors: number of data subjects, volume of data, duration and extent of processing etc.
WP29 encouraged the appointment of voluntary DPOs for organisations outside the scope of the GDPR's mandatory roles. However, it clarified that title 'DPO' would attract all the obligations of Articles 37-39 (and penalties for infringements). Those organisations desiring an individual responsible for data protection without that status should ensure the job title and contract make clear they are not in fact a 'DPO'.
FINAL GUIDANCE: underlines the DPO (mandatory or voluntary) is designated for all processing operations you undertake.
The GDPR allows group companies to appoint a single DPO, as long as they are 'easily accessible' from each establishment of the group. The WP29 interprets this as meaning the DPO must publish their contact details and communicate in the language(s) of the supervisory authorities ("SAs") and data subjects concerned. How will this work in practice for the DPO of an organisation established in a large number of time zones covering data subjects speaking dozens of different languages? WP29 simply stated that personal availability is 'essential'!
FINAL GUIDANCE: Infuriatingly for our US (and following Brexit, our British) clients, WP29 added that the DPO should be located within the EU, whether or not an enterprise is established in the EU. In a typical compromise, WP29 then states that where there is no establishment within the EU, the DPO may be more effective based outside.
The GDPR and guidance refer to the DPO throughout as an individual, however in reality the DPO of large organisations will head of a team of deputies. The guidance did not clarify whether this is compliant, mentioning it only in the context of external DPOs, where – for the sake of clarity and good organisation – there should be a clear allocation of tasks.
FINAL GUIDANCE: helpfully adds (in three places, no less) that the DPO may perform its functions 'with the help of a team if necessary'.
A relief to SMEs and public bodies, the GDPR states the DPO may combine the role with another. The WP29 added that the other role cannot be a position in which they are determining the purposes and means of processing (eg. CEO, Head of HR or Head of IT).
FINAL GUIDANCE: the FAQs add that the same considerations about resources and communication apply. Interestingly, WP29 confirms that part-time DPOs may also be a team.
Report to highest management level
Draft guidance was silent on this point. Does it mean the board of the group parent company? Or the board of that subsidiaries that are controllers/processors in their own right?
FINAL GUIDANCE: interprets this as meaning senior management (and states eg 'board of directors') are aware of the DPO's advice, or by drafting an annual report which is then provided to the highest level. No clarification on the group issue.
Finally - conditional 'should' requirements on expertise and training have been upgraded to mandatory 'must' haves.
What does this mean?
The WP29 have provided some useful clarifications however uncertainties remain. These will likely be exacerbated as SAs develop their own national guidance. This is an area where consistency between Member States will ideally be preserved.
As the DPO is part of accountability principle running throughout the GDPR, it is important for organisations to assess and document their decisions. If you conclude your organisation is outside the scope, make sure there is a record. For those within, it is time to get hiring if you haven’t done so already. the GDPR envisages the DPO as a specialised role. Given the IAPP estimate 75,000 DPOs are required globally (admittedly on very wide assumptions), there is likely to be a major hiring squeeze in the run up to May 2018.
You need to start considering practical issues like where the DPO should be located, how they will be accessible, how the reporting lines will look and how to ensure your DPO remains independent. What's more, the process of preparing for GDPR should ideally involve the DPO, who you don't want arriving and challenging key decisions on day one. Finding the right fit is everything and we'd suggest that on-boarding them in time for readiness assessment and GDPR planning is essential.
Do get in touch with any questions or if you would like a copy of the fuller guidance we prepared for clients.