When to Appoint a GDPR Data Protection Officer/Privacy Officer
Article 37 of the EU´s General Data Protection Regulation stipulates data controllers and data processors located within the European Union (hereafter “covered entities”) have to appoint a GDPR DPO (Data Protection Officer) under certain conditions.
The conditions are deliberately vague to give each EU member state´s regulatory authority leeway in how the Article is applied, but generally it is necessary for a covered entity to appoint a GDPR DPO if:
- It is a public authority.
- It is a private business that controls or processes “large” volumes of data as a primary activity, or in order to support its primary activity.
- It is a private business that controls or processes “special category” data, or data relating to criminal convictions and member state security.
What constitutes “large” volumes of data varies by member state. Most member states have issued guidance for covered entities ranging from a percentage of the population, to the geographical extent of the processing activity, to the duration of the data processing activity.
Data considered to “special category” data is clearly defined under Article 9 of GDPR. Generally it consists of healthcare data, or data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or sexual orientation. Exceptions can apply depending on the circumstances in which special category data is processed, and depending on each member states´ data protection laws.
The Role and Duties of a Data Protection Officer
The role of a Data Protection Officer is to inform the covered entity of its data protection obligations under GDPR, help the covered entity develop data protection policies, train employees in GDPR compliance and monitor compliance. He or she will also be expected to provide advice regarding Data Protection Impact Assessments, and act as a point of contact for data subjects and the member state´s regulatory authority.
Although the GDPR DPO can be an existing employee, he or she must be an expert in data protection laws both within their member state and the European Union. He or she must also have a thorough knowledge of the industry sector in which the covered entity operates, an understanding of the covered entity´s policies and processes, and be conversant with the technologies used to process, store, and secure data.
Many covered entities will not have an existing employee with this range of knowledge, and so GDPR allows covered entities to outsource Data Protection Officers. In many cases, a GDPR DPO is shared between several covered entities; but while the appointment of a Data Protection Officer can help demonstrate compliance with GDPR, the GDPR DPO is not liable in the event of a data breach. Compliance is still the responsibility of the covered entity.
Obligations of a Covered Entity to the GDPR DPO
Article 38 of GDPR is unusual inasmuch as it stipulates the obligations of a covered entity to a GDPR DPO. Under this Article there is a specific set of rules defining how the independence of a Data Protection Officer is maintained. These rules include:
- The covered entity must involve the Data Protection Officer in any event that relates to data protection (for example a change in technology used to process data) and provide full and unobstructed access to data controlling or processing activities.
- The covered entity must provide the resources necessary for the DPO to perform their duties, including time (where necessary) to maintain his or her expertise in data protection laws, understanding of policies and procedures and conversance with technology.
- The covered entity must not influence the Data Protection Officer in the execution of their duties. He or she cannot be dismissed or penalized for performing their GDPR DPO duties, nor should the Data Protection Officer be put in a position where their role represents a conflict of interest.
The conflict of interest clause is particularly restrictive for many covered entities because it eliminates potential candidates from within the covered entity´s workforce. For example, most senior management positions will be excluded from eligibility, as will IT managers responsible for implementing IT systems.
GDPR DPO for US Companies
The situation regarding a GDPR DPO for U.S. companies is a little different. If a U.S. company has a physical presence in the EU (i.e. a satellite office or subsidiary), and the company qualifies as a GDPR covered entity due to the volume or nature of data it controls/processes, it is subject to the same rules as an EU-based covered entity and must appoint a GDPR DPO.
If the U.S. company has no physical presence in the EU, but collects, maintains, or processes EU subject data under the US-EU Privacy Shield agreement, it must appoint a GDPR Representative in the EU. The GDPR Representative does not have the same roles and duties as a GDPR DPO, but acts as a point of contact between the company and EU regulators or EU citizens.
GDPR DPO for UK Companies
The situation regarding GDPR DPO for UK companies is less clear cut due to the uncertainty of Brexit. If the UK leaves the European Union “with a deal” there will be a transition period until December 2020, during which time existing UK-based covered entities are required to appoint a GDPR DPO and comply with the General Data Protection Regulation.
If the UK leaves the European Union with “no deal”, UK-based covered entities will still be required to appoint a Data Protection Officer under the UK´s Data Protection Act 2018, and may also be required to appoint a GDPR Representative – subject to the terms of any “Adequacy Agreement” (similar to the US-EU Privacy Shield) between the UK and European Union.