What is a data protection officer?
What is the role and responsibility of the DPO?
When should a company appoint a data protection officer?
In this article, we will break down the notion of data protection officer so you know all there is to know about it.
Are you ready?
Let’s get started!
Table of Contents
What is a data protection officer (DPO)?
The role of a data protection officer is a new leadership role created under the General Data Protection Regulation (GDPR) to ensure compliance with its data protection and privacy requirements.
GDPR addresses the concept of the data protection officer in Article 37.
According to WP29, the DPO is a cornerstone of accountability allowing companies to comply with data privacy and protection laws.
Article 37 GDPR states that a controller or processor “shall” designate a data protection officer in the following cases:
“(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”
In the scenarios mentioned by GDPR, the appointment of a data protection officer is mandatory.
What companies must appoint a data protection officer?
GDPR requires that organizations mandatorily appoint a DPO when:
- They process data for the public authority
- If they systematically monitor data subjects on a large scale as their core activity
- They process special categories of data as a core activity
Company size
In the scenarios mentioned by GDPR, the size of the company is not relevant.
What’s relevant is how personal data is processed and handled.
Large scale processing
GDPR makes reference to the “large scale” processing of personal data.
However, the concept of “large scale” is not defined.
The European Commission, in its Guidelines on Data Protection Officers, provides some guidance as to the concept of “large scale” processing.
Organizations should look at:
- The number of data subjects involved (number)
- How much data is processed (volume)
- How long personal data is retained (duration)
- On what geographic range of personal data is processed (territory)
Companies should evaluate their data processing activities to determine if they can be qualified as a “large scale” processing.
Based on this guidance, a small company can be deemed to process personal data on a large scale.
Core activity
GDPR also makes reference to “core activity” but does not define it either.
According to the European Commission’s Guidelines on Data Protection Officers, a “core activity” can be considered as:
“the key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms as inextricable part of the controller’s or processor’s activity. For example, processing health data, such as patient’s health records, should be considered as one of any hospital’s core activities and hospitals must therefore designate DPOs.”
A core activity can be considered a data processing operation inextricably liked to the data controller or data processor’s activities.
Regular and systematic
The notion of “regular and systematic” is another undefined concept in GDPR.
We will need to refer to the European Commission’s Guidelines on Data Protection Officers for additional guidance on this notion.
Regular and systematic monitoring of data subjects means all forms of tracking and profiling activities whether online or offline.
Behavioural advertising can be considered as regular and systematic monitoring of data subjects.
Regulatory, litigation and contractual risk
Companies involved in highly regulated industries, in highly advanced technological sectors dealing with personal data, who may process fairly sensitive data, process large amounts of data or are prone to litigation and contractual risk should consider appointing a DPO even though they may not have a direct obligation under GDPR.
It may be a good idea for a company to evaluate factors beyond GDPR to assess the opportunity of appointing a DPO.
Data protection officer roles and responsibilities
Under the General Data Protection Regulation, the DPO is a mandatory role when data processing fits the criteria of Article 37 GDPR.
A data protection officer’s primary role is to ensure organizations process personal data in accordance with the GDPR requirements.
Article 38 GDPR states that:
“the controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.”
As such, the DPO must be involved in all personal data processing activities of a company and on all issues affecting the protection of personal data.
Article 39 GDPR provides specific guidance with respect to the DPO’s responsibilities and tasks, particularly, the DPO must:
- Assist with GDPR compliance
- Inform and advise on data protection obligation
- Help educate employees and staff about compliance
- Perform regular security audits
- Act as the point of contact with the data protection authorities
- Provide advice on the data protection impact assessment
- Keep records of all data processing activities
- Interface with data subjects about their data
- Ensure the company implements measures to protect personal data
Who can be a data protection officer under GDPR?
Article 37 GDPR specifically states that the data protection officer must have “expert knowledge of data protection laws and practices”.
The DPO is the organization’s focal point with respect to data processing, data protection and data privacy and must have the proper knowledge to guide internal stakeholders in this regard.
Depending on the nature of a company’s data processing activities, the data protection officer should have sufficient knowledge to be able to guide the organization.
For example, a data protection officer for Google will need to have the expert knowledge to advise Google and the DPO of a transportation company will need to have the expert knowledge to do the same for that organization.
Appointment of a data protection officer
Based on a IAPP study, GDPR would generate 28,000 DPO’s in Europe and America and approximately 75,000 worldwide.
Controllers and processors can appoint the same person as their data protection officer in the event they have many subsidiaries and related companies.
A data protection officer must be involved properly and in a timely manner on all issues relating to the protection of personal data.
What’s important is that the data protection officer remains accessible to all the entities relating to data processing in a timely and effective manner.
When a data protection officer is appointed by a company, his or her contact information must be published publicly.
The DPO’s contact information must also be provided to the relevant supervisory authority.
Independence of the data protection officer
The DPO ensures the application of laws protecting individuals’ personal data in an independent manner.
GDPR requires that data protection officers have a sufficient level of independence so they can perform their tasks and responsibilities without having to fear consequences or reprimand.
Article 38 GDPR states:
“The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.”
The first aspect of a DPO’s independence is that they must not receive instructions from anyone regarding their role and the exercise of their function.
Furthermore, companies must not dismiss or penalize a data protection officer for exercising his or her role or making data privacy and protection decisions.
In some cases, the DPO’s decision may cost the organization more money to implement.
There should be no consequence to a DPO for that type of decision.
A DPO may also have an obligation to report his or her employer to the supervisory authorities when there is a data breach or seek consultation for high-risk data processing.
If that happens, a DPO should not fear dismissal.
DPO and conflict of interest
A data protection officer must not be in a position of conflict or have a conflict of interest in the exercise of his or her function.
The data protection officer should not be influenced by other people or have tasks or functions inherently in conflict with their role as a DPO.
For example, a data protection officer who acts as the head of IT at the same time may have a conflict of interest in some instances.
As the head of IT, he or she may want to process personal data a certain way while that type of processing may infringe GDPR and result in conflicting obligations on the same person.
A DPO should be free from any conflict so they can accomplish their tasks and functions without hindrance.
Here are some tips to avoid conflict of interest with the DPO role:
- Do not hire a DPO on a short-term contract
- Do not have the DPO act as a middle-manager
- Do not limit the DPO’s budget to a level he or she cannot fulfill the tasks of the DPO
- Do not put the DPO on business projects requiring important personal data processing
- Do not dismiss the DPO based on decisions he or she has made on data privacy unless there are serious grounds
- Do no limit the DPO’s investigation authority
- Do not have a DPO assume a conflicting dual role in an organization like CTO and DPO
External DPO
A company can hire someone to act as a data protection officer internally.
There is no obligation to have the person handle the function on a full-time basis.
What’s important is that the DPO must be involved in all data processing activities in a timely and effective manner.
A data protection officer’s role can also be outsourced to an external service provider.
There organizations offering DPO services for a fee.
Companies who do not have the ability, who do not need to hire someone or wish to internally appoint someone can appoint an external service provider as their DPO.
Who should the data protection officer report to?
Article 38 GDPR requires that the DPO report to the “highest management level” of the controller or processor.
This means that a data protection officer’s role is a senior role and be given sufficient hierarchy within an organization so the appointed individual can achieve the required data protection and privacy objectives.
A DPO acting as a middle manager may not succeed as well as a DPO operating at the executive level or at least parallel to the company executives.
A DPO must have enough authority within an organization so other internal stakeholders follow his or her instructions and implement the needed measures.
Data protection officer liabilities
Data protection officers are the front line officers of enterprise risk relating to data protection and privacy.
If a company is fined under GDPR, what is the exposure of a data protection officer?
What are the risks to DPO’s?
What happens if a DPO fails in his or her role?
The Working Party’s guidance states that “DPOs are not personally liable in case of non-compliance with GDPR”.
However, this does not necessarily protect the DPO from liability arising from his or her negligence.
Although rare, a DPO can be exposed to a lawsuit for acts of negligence from various stakeholders like shareholders, their own employer or other third parties such as a consumer who believes the negligence of the DPO caused them direct harm.
If the DPO reports to the highest level of management, signing up for directors and officer’s insurance (D&O insurance) can help limit the DPO’s personal liability.
Companies should also consider their E&O insurance for a possible source of compensation related to claims arising from the DPO’s decisions or function.
A DPO should also consider specific contractual clauses and protections to ensure the company indemnifies him or her when performing the functions of a DPO.
How to become a data protection officer
A data protection officer must have expert knowledge of data protection and data privacy laws.
Qualifications of a data protection officer
It is mandatory under GDPR that the DPO be qualified to adequately assume his or her role and responsibilities.
GDPR does not outline the actual qualifications of a DPO leaving organizations a level of flexibility in who they appoint in that function.
Depending on the level of complexity of a company’s data processing operations, a company will need to appoint a suitably qualified data protection officer.
A DPO is often either an IT professional or an attorney.
A qualified DPO should have an excellent knowledge of technology, IT and the law.
DPO skills
To give you an idea, here are some examples of possible qualifications of a DPO:
- Experience with EU privacy laws
- Proper understanding of technology and terminology
- Good understanding of IT and internal infrastructures
- Experience in conducting information security audits
- Leadership skills
- Project management skills
- Communication skills
- Demonstrated record to stay informed and up-to-date
- Experience in dealing with corporate executives
The data protection officer is the steward of data protection implementation and data privacy strategy within an organization.
The person must have the personal skills and abilities to be able to deal with potentially difficult company decisions and sell data protection and privacy principles to internal stakeholders.
DPO certification
A person interested in the role and function of a data protection officer can acquire additional knowledge by obtaining GDPR certifications offered by GDPR certification bodies.
For example, the International Association of Privacy Professionals and the Association of Data Protection Officers offer courses on data security and privacy helpful for a person interested to become a DPO or further their knowledge.
DPO as a career path
The role of a data protection officer may be an interesting career path for some.
The role of the DPO offers a person the ability to have a level of independence within an organization, report to high-level management, handle data protection and privacy matters and be in charge of this function within an organization.
Is it the right career path for all to become a DPO?
This will depend on each individual person.
Since the DPO’s role must be kept independent from the data processing activities and have little conflict, the data protection officers may be perceived as obstacles to strategic business objectives.
As a result, a person acting as a DPO may not have the same possibilities of advancement as another person actively involved in strategic business decisions.
A person looking to act as a DPO should weigh the pros and cons of assuming the role long-term.
How much do data protection officers make?
According to ZipRecruiter, the average data protection officer salary can range from $85,696 to $156,500 within the United States.
The 2018 mean annual salary for compliance officers was $72,520 in the United States.
Takeaways
The role of a data protection officer is a new leadership role created under the General Data Protection Regulation (GDPR) to ensure compliance with its data protection and privacy requirements.
The data protection officer is the steward of data protection implementation and data privacy strategy within an organization.
As such, the DPO’s primary role is to do what’s necessary to help companies comply with GDPR but internally adopt processes and policies geared to observe the spirit of data protection and privacy conveyed by the GDPR regulation.