The role of Data Protection Officer (DPO) is a security position and is a requirement per the General Data Protection Regulation (GDPR) and Brazil’s Lei Geral de Proteção de Dados (LGPD). It is reasonable to expect the United States will develop its own version of the GDPR within the next four years. Many enterprises doing internet business in Europe will need to hire a Data Protection Officer as soon as possible. These individuals will be responsible for monitoring data protection strategies, and for ensuring compliance with GDPR Articles 37, 38, and 39. All companies collecting or processing the personal data of EU citizens are required, under Article 37, to have a DPO.
A DPO is also responsible for training and educating management and staff on the importance of compliance requirements and conducting regular security audits. The Data Protection Officer also serves as the contact point between the organization and any Supervisory Authorities overseeing data related activities.
Europeans became concerned about the abuses of Big Data, and their individual privacy. As a result, the European Parliament, European Council, and European Commission required the mandatory establishment of a DPO for all organizations processing or storing significant amounts of personal data.
Private businesses will need to appoint a DPO only if they are engaged in “core activities” requiring a “large scale and systematic” monitoring of data, or if they are a large organization with hundreds or thousands of employees. The law applies to organizations controlling or processing the data of EU residents, and a huge number of businesses are struggling to comply.
Generally speaking, an organization’s size is not as important as the amount of personal data it is handling. However, large organizations with more than 250 staff typically must establish a Data Protection Officer. Smaller organizations may not need to appoint a DPO, depending on the volume of personal data being processed and the type of business.
In government agencies, a DPO must be appointed. Essentially, any organization regularly processing personal data on a significant scale must have a DPO. This includes organizations providing software-as-a-service (SaaS), social media platforms, health care services, educational institutions, data mining platforms, and digital marketing and advertising services.
It should be noted that any organization failing to appoint a DPO must provide evidence explaining why they don’t need to appoint a Data Protection Officer. A small organization should perform an internal analysis, and the decision not to appoint a DPO should be recorded, along with the reasons why. The recorded document may have to be provided in case of a compliance audit.
The GDPR became enforceable on May 25th, 2018. The GDPR is neither a directive, nor a suggestion. It is group of laws, and is directly binding and applicable, and those who do not comply can be subject to fines.
Avoiding Conflicts of Interest
The Data Protection Officer reports directly to upper management. It is meant to be a professional position and the DPO primary duties involve communicating with other professionals. Additionally, there cannot be a conflict of interest regarding their duties of compliance with the GDPR. For this reason, an independent officer is strongly recommended, rather than folding responsibilities into an existing security or IT position.
The GDPR states the Data Protection Officer must be capable of performing their duties independently, and may not be “penalized or dismissed” for performing those duties. (The DPO’s loyalties are to the general public, not the business. The DPO’s salary can be considered a tax for doing business on the internet.) Philip Yannella, a Philadelphia attorney with Ballard Spahr, said:
“A Data Protection Officer can’t be fired because of the decisions he or she makes in that role. That spooks some U.S. companies, which are used to employment at will. If a Data Protection Officer is someone within an organization, he or she should be an expert on GDPR and data privacy.”
Not having a Data Protection Officer could get quite expensive, resulting in stiff fines on data processors and controllers for noncompliance. Fines are administered by member state supervisory authorities who have received a complaint. Yannella went on to say, “No one yet knows what kind of behavior would trigger a big fine. A lot of companies are waiting to see how this all shakes out and are standing by to see what kinds of companies and activities the EU regulators focus on with early enforcement actions.”
The Data Protection Officer’s Requirements
While the GDPR does not provide a specific list of credentials for a Data Protection Officer, it does require a DPO have “an expert understanding of data protection laws and practices.” This basically means a thorough understanding of the GDPR. The GDPR also states that the DPO’s expertise should match the data processing operations being used, and the level of security required to protect the personal data.
One responsibility is to notify supervisory authorities of any data breaches, and it must be done within 72 hours of learning of a breach. Also, the DPO is responsible for assisting in the setup of a “right to be forgotten” program, when individuals request their data be deleted from an organization’s computers. The DPO is also responsible for training and educating staff on important compliance requirements.
A DPO can be a controller or a technician, if they meet the requirements, and this might be a worthwhile solution for a small business. Related organizations can share the same DPO, overseeing data protection collectively, but all data protection activities must be managed by the same person and data must be readily accessible by staff from the related organizations, as it is needed.
The DPO’s contact information must be publicly available and provided to appropriate regulatory oversight agencies. GDPR Article 39 lists the DPO’s responsibilities, such as:
- Maintains detailed records of all data processing, which must be made public upon request
- Conducts security audits to proactively ensure compliance
- Monitors performance and provides advice on data protection efforts
- Acts as contact person between the organization and GDPR Supervisory Authorities
- Informs private citizens about how their data is being used, their data erasure rights, and the steps taken to protect personal information
Desirable Skills for Data Protection Officers
Some organizations will attempt to assign these duties to an individual from the IT department, and for a small organization, this might work. However, the new DPO must have a thorough knowledge of GDPR and U.S. regulations, and the ability to assure compliance with them. While this may initially seem akin to following a checklist, this is not a mindless task. Familiarity with the laws and regulations concerning the organization’s data activities are an absolute necessity.
An individual with a few years of experience as an IT security professional, and the ability to learn, could be an ideal candidate for a DPO position. Under the GDPR, organizations are responsible for many different types of security breaches, and the Data Protection Officer must stay abreast of the best practices, and implement all appropriate measures.
Good communication skills would also be a significant plus for this job. The ability to communicate effectively with a variety of different departments and individuals within an organization would be very useful. The DPO should be able to simplify complicated regulatory and IT concepts, provide training, and communicate public authorities. EU supervisory authorities will expect the Data Protection Officer can communicate effectively.
It is extremely important the DPO be a self-starter. They must be able to take the initiative, and work independently. While this is a desirable quality for many different jobs, it is crucial for this job. It also should be noted the GDPR specifically requires DPOs “directly report to the highest management level” under Article 83.3.
The Bottom Line
The DPO currently protects the personal data of people living in Europe and Brazil. In the United States it is reasonable to expect similar laws, soon. The Guidelines on Data Protection Officers supplement provides some much-needed specifics on the DPO’s responsibilities. The core activities are those that cannot be separated from an organization’s primary functions. Though the supplement does not provide a definition of “large-scale,” it does lay out criteria that can be used to determine the scale of:
- The amount of data subjects
- The amount of data items
- How long data is retained
- The geographical coverage of processing
The DPO position goes beyond learning GDPR regulations and checking data processing policies against them; the DPO should also have experience in both IT and data security. Additionally, this will be a position requiring constant learning and flexibility. The three core competencies are:
- Knowledge of GDPR regulations and applicable national data laws
- Experience with IT security and threat assessment
- Strong communication skills.
Image used under license from Shutterstock.com