With the implementation of the General Data Protection Regulations (“GDPR”) companies are expected to put in place clear governance measures to ensure compliance. Amongst other things, these measures include the minimisation of data protection breaches and the strengthening of internal policies and training procedures. This may also involve the appointment of a Data Protection Officer (“DPO”). Set out below some practical points companies should consider when appointing a DPO.
Managing the DPO appointment process
This new requirement left most companies with a number of questions relating to the appointment of a DPO, including:
- Timeline for appointments
- Obligation to appoint a DPO
- Qualifications required by a DPO
- Tasks of a DPO
- One individual to represent the companies of a group of undertakings (“Group”)
- Existing member of staff or external candidate and type of contract
Companies are not required to comply with the GDPR until the 25 May 2018 and until then there is no obligation to appoint a DPO. Although the deadline seems somewhat remote, companies should take into consideration the timeframes required (i) to find the appropriate candidate with the right qualifications to fulfil the role; and (ii) to approve headcount. Further, should a company decide to appoint an existing member of staff, appropriate training must be arranged and this may take time.
Obligation to Appoint
Article 37(1) sets out instances where companies are under a strict obligation to appoint a DPO. These are when the processing:
- is carried out by a public authority (except for courts acting in their judicial capacity);
- requires regular and large scale systematic monitoring of individuals (eg. online behaviour tracking); or
- consists of large scale processing of special categories of data (such as data that reveals racial or ethnic origin, political opinions, religious beliefs etc.) or data relating to criminal convictions and offences.
The GDPR does not expressly set out a list of compulsory qualifications required by a DPO, but Article 37(5) provides that a DPO must be appointed on the “basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Art 39”. As such, it would be reasonable for a company to assess its needs based on the type of processing it carries out and the protection the data processed requires when assessing the level of qualification expected of a DPO.
The tasks of a DPO are set out in Article 39 and include:
- informing and advising the company and employees about their obligations under the GDPR and data protection laws;
- monitoring compliance with GDPR and other data protection laws (eg. training of staff, internal audits, managing internal data protection activities, data protection impact assessments etc.); and
- cooperating with supervisory authorities and becoming their first point of contact.
One Appointment for the Group
When it comes to group enterprises, the GDPR allows for one single individual to be appointed as the DPO for the whole Group, being the Group’s companies located in the EU and/or outside of the EU. More particularly, Article 37(2) states that “a group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment”.
Internal or External Candidate
Companies may decide to appoint an existing member of staff as their DPO, provided that no conflict of interests arises, or decide to hire someone external. The DPO may be employed or hired on a service contract basis. However, the costs of selecting an internal candidate and training them must be balanced against the costs of recruiting someone external.
Although a company may save some money when appointing an existing member of staff rather than going through the often laborious and expensive recruiting process, it is important to balance costs and convenience against the benefits of selecting a candidate with the right level of experience and knowledge in order to provide the company with the adequate compliance program that could successfully sustain the regulatory checks of the supervisory authority.
Whilst hiring a DPO will become something that most companies will have or will decide to comply with, it is worth considering that becoming a DPO carries certain responsibilities that could reduce the appeal for such role. Being responsible for the company’s potential penalty of up to 20 million Euros or 4% of the organisation’s worldwide turnover for non-compliance, might not be so appealing to an individual that does not have the required expertise to ensure the company’s compliance with the GDPR.
Securing the right level of protection your company requires based on your activities should be a priority and one that does not need to wait until May 2018.
Elisabetta Elia is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at firstname.lastname@example.org