What is a data protection officer?
A data protection officer (DPO) is an employee or contractor hired to oversee a company’s data protection strategy and ensure compliance with the General Data Protection Regulation (GDPR). The role was introduced in 2018 to promote compliance with the new laws governing how the personal data of EU citizens is handled.
Which organizations are required to hire a data protection officer?
All public authorities are required to appoint a data protection officer to comply with GDPR. Businesses that process personal data on a large scale or that process specific categories of data, such as race and ethnicity, must also appoint a DPO.
The scope of what constitutes ‘large scale’ is not made clear in the rules set by GDPR. In general, small businesses will not need to appoint a DPO unless their services are focused on data collection and sharing. The “Guidelines on Data Protection Officers” supplement does shed some light, however, by outlining four factors that help to define ‘large scale’:
- “The number of data subjects concerned – either as a specific number or as a proportion of the relevant population”
- “The volume of data and/or the range of different data items being processed”
- “The duration, or permanence, of the data processing activity”
- “The geographical extent of the processing activity”
The same document provides examples of large-scale data processing, including:
- “Processing of customer data in the regular course of business by an insurance company or a bank”
- “Processing of real-time geo-location data of customers of an international fast-food chain for statistical purposes by a processor specialised in providing these service”
Examples of data processing that does not need a DPO to include individual lawyers processing data related to convictions, or individual doctors processing patient data.
What responsibilities does a data protection officer have?
The responsibilities of a data protection officer are broad. According to Article 39 of GDPR, the data protection officer is charged with:
- Educating the wider company about compliance
- Providing training to employees in data processing.
- Carrying out data security audits on a regular basis.
- Liaising with the relevant GDPR Supervisory Authorities.
- Continuously monitoring performance and consulting the business on how to better manage data protection.
- Keeping a record of all data processing conducted with the organisation or public body.
- Making this record public upon request.
What qualifications does a data protection officer need?
According to Article 37 of GDPR, data protection officers do not require a specific qualification but are required to have “expert knowledge of data protection law and practices”. They should be well versed in the data processing operations of the business.
DPOs must also not exercise duties or responsibilities that could represent a conflict of interest with their monitoring of data processing. A lawyer who could represent the business in a potential legal proceeding would therefore not be eligible, as their current position would infringe on the objective role of a DPO.
The ideal background of a data protection officer is an IT security professional with several years of experience within their industry. Businesses must be adequately equipped to prevent a variety of data breaches, which requires a data protection officer to be experienced in the latest IT security trends and best practice data protection policies.
The ideal DPO will also have formal legal training with a data security focus. While the initial steps to ensuring GDPR compliance can be considered a “checklist” approach, the complexity of compliance increases over time, especially in larger organisations. A good DPO will also be familiar with the regulations in other territories where the business processes private information, as the data privacy policies implemented for GDPR may not be applicable in non-EU countries.
How do I appoint a data protection officer?
There are three approaches to appointing a data protection officer:
|Appoint an existing employee as the DPO, providing that their existing duties do not conflict with the duties of a DPO.
|Make a new permanent hire who will work as a DPO full-time.
|Outsource the role of DPO externally on a service-based contract. The outsourced DPO must have the same authority and duties as an internally-appointed DPO.
An increasing number of IT specialists provide Data Protection Officer as a Service (DPOaaS).
The responsibilities of a DPO are broad, which makes it difficult to fill with an existing or new permanent member of staff. A DPO must be able to understand data privacy law and implement internal processes that help a business adhere to these regulations, taking particular care to ensure they support rather than clash with necessary security processes, and also ensuring they do not restrict users’ activities unduly. Privacy cannot be a blocker doing business, else it will be dangerously circumvented.
The only solution to these careful balances is to make sure that the starting point is always the data – specifically its routes into, around and out of the business. Realistically, these will be numerous, and also complex, varying and probably to-date have been invisible. It is a DPO’s job to identify them all, spot their risks to not only privacy but also security and governance, and then put in place suitable processes or technologies to protect the data itself and defend the data subjects’ rights.
This requires far more than simply knowledge of privacy law, but also an experienced understanding of data, its movement, storage and vulnerability.
Calligo is a privacy-led Data Protection Officer service provider working with enterprises across the globe. The team is comprised of experts in privacy law – including GDPR, CCPA and PIPEDA – infosecurity and change management, but also, because of Calligo’s heritage as a privacy-focused cloud services provider, the team also includes experts in technology, cloud environments and data.