Does My Organization Need to Appoint a GDPR DPO?

Now that the General Data Protection Regulation (GDPR) is in effect in European Union (EU) countries, businesses are asking whether they need to appoint a Data Protection Officer (DPO).

The job of a Data Protection Officer is outlined in Article 37 of the GDPR. A Data Protection Officer is any individual appointed by a business or organization. The DPO is authorized by that enterprise to act as an independent advocate. The DPO is responsible for making sure that the company acts in compliance with GDPR. The DPO supervises appropriate use and protection of EU data subjects’ personal information.

Any business that collects and/or processes the personal data of anyone resident in the European Union on a large scale needs to appoint a Data Protection Officer (this requirement also applies to nearly all government bodies and also to any organisations handling highly sensitive information like criminal or medical records). The DPO is essentially the interface between the company and its employees and clients who are EU residents.

It is the responsibility of the Data Protection Officer to ensure that the company’s employees know about GDPR compliance. The Data Protection Officer is tasked with educating staff on how to comply with GDPR regulations. The DPO also conducts regular security assessments to avoid breaches. He/she is the link between the business and GDPR Supervisory Authorities. The DPO makes sure that staff know the GDPR compliance requirements and how to achieve these. The DPO also makes sure Data Processors are fulfilling their role. The DPO monitors the processing performance and maintains records of the company’s data processing.

If data subjects need to be informed of their rights or requests must be processed the DPO does this. The DPO also makes sure that if the security of personal data is breached both the data subjects and the GDPR supervising authorities are advised. If an individual’s data is being erased or re-purposed the DPO ensures data subjects are informed and give their written approval.

GDPR Article 37 seems to imply that small and medium-sized businesses may not need to appoint a Data Protection Officer, although it is still not fully clear what the best practices are in this area and it depends more on how “large scale data processing” is defined rather than the actual number of staff or turnover. Articles 38 and 39 outline the duties of a Data Protection Officer. These clauses also point out instances when having a Data Protection Officer is advisable. These include cases where processing is carried out by an individual or by a public authority or body. Another case involves instances where the Data Controller and/or the Data Processor require systematic large-scale monitoring of data subjects. Or where the processing involves large-scale data of special categories such as those outlined in GDPR Article 10.

While businesses struggle with whether they need to appoint a DPO and if so, how they do so. According to GDPR guidelines, a company may select as DPO: An existing employee, a new hire, or a contractor of the business.

The person selected must have detailed knowledge and expertise in GDPR guidelines. However, there are still many aspects of GDPR that remain subject to interpretation and discussion as local supervisory authorities have been slow to issue their own definitions. It is likely that during the initial stages of GDPR compliance that the DPO is also responsible for making organizations GDPR compliant, and not just monitoring ongoing compliance. It is unlikely that a DPO can make the necessary decisions and recommendations regarding IT security infrastructure necessary to protect personal data without deep experience in the area. It is therefore necessary that the DPO has deep knowledge of information technology and especially cybersecurity.

If your DPO has been selected from existing employees, you need to make sure there is no conflict of interest between his/her DPO duties and other job-related interests.

What can the DPO be expected to do?

Under Article 39 of the GDPR, the DPO can logically be expected to do such things as:

  • Work with the Data Controller and Data Processors to keep them informed and compliant with GDPR guidelines.
  • Work in harmony with other DPOs in EU states to monitor compliance with GDPR.

According to Article 35, a DPO can expect to advise on Data Protection Impact Assessments (DPIA), which probably requires deep knowledge of IT systems and cybersecurity.

The DPO will be the person from your business who contacts GDPR supervising authorities should the need arise in such instances as reporting breaches.

By now it should be obvious that many small or medium-sized businesses are not compelled to appoint a Data Protection Officer, but still need to protect the personal data of their clients under GDPR.

Should your company do so anyway? Even if your organization is not compelled to have a data protection officer, you might see the advantages of doing so,particularly if it means adding this responsibility to the portfolio of an existing employee.

Having a DPO would show GDPR authorities your business is serious about compliance. If requirements were to change your business would be ready to meet the new rules. If your country is not part of the EU, there is still every expectation that the GDPR, or legislation much like it, will impact you nonetheless. If GDPR becomes your country’s model, your company will be ahead of the game with a DPO already appointed.