Do you need a data protection officer (DPO) for GDPR ?

This is the second post in our series to help businesses prepare for the EU General Data Protection Regulation (GDPR). To learn more, see our previous post, “What GDPR Means for B2B Marketers.”

On May 25, 2018, the EU will begin to put into effect a major change for companies doing business in Europe: the General Data Protection Regulation (GDPR), a regulation that will force many organizations to change the way they handle personal data. With the deadline now just weeks away, it’s important for affected businesses to start making sure they have all the required pieces in place.

One of those “pieces” — one that is raising a wave of questions across the business community — is the data protection officer, or DPO. The EU understands that when protecting data is “everyone’s responsibility,” it’s easy for things to slip through the cracks, so they want certain organizations to assign official responsibility to a single individual.

“Wait… Does GDPR Even Apply to Us?”

Before we discuss the DPO requirement, it’s important to determine whether the GDPR applies to you.

The regulation applies not only to businesses in Europe, but to any business that processes and stores personal data of EU residents (not just citizens). “Personal data” is defined as any data that could be used to identify an individual, such as names, email addresses, physical addresses, phone numbers, etc. Keep in mind the regulation covers not only customers, but also employees and contractors.

Which Companies Need a Data Protection Officer (DPO)?

Article 37 of the GDPR states that a data protection officer is required for organizations that (a) are public authorities, (b) engage in “large scale systemic monitoring,” or (c) process “sensitive” personal data such as criminal records.

Many businesses have questions about what constitutes “large scale systemic monitoring,” as the regulation offers no specific guidance. If you have questions about whether your organization falls into this category, consult your legal counsel.

What Is a Data Protection Officer (DPO)?

A data protection officer is an individual authorize d by the organization to act as an independent advocate for compliance with GDPR and for appropriate use and protection of EU data subjects’ information.

Who Can Serve as Data Protection Officer (DPO)?

The GDPR provides some guidance on whom the organization may choose to serve as its data protection officer:

• Your DPO may be an employee or a contractor.
• A group of organizations may “share” a DPO as long as the individual can be accessed from each establishment.
• You should appoint an individual on the basis of his or her professional qualities, particularly knowledge of data protection law and practices.
• The person you appoint may fulfill other duties but should have no conflict of interest.

What Does the Data Protection (DPO) Do?

In Article 39, the GDPR lists some specific responsibilities of the DPO, including

• Informing and advising the data controller and processor on matters relating to GDPR compliance
• Monitoring compliance with the regulation and with other data protection provisions enforced by the EU or by individual member states as required
• Advising on the data protection impact assessment (DPIA) and monitoring its performance (for more on the DPIA requirement, see Article 35)
• Cooperating with and acting as the point of contact for supervisory authorities

Should You Appoint a Data Protection Officer (DPO), Even If You Don’t Have To?

Even if your organization doesn’t fall under the requirements for having a data protection officer (see “Which Companies Need a DPO?” above), you may still want to consider appointing one, for the following reasons:

• Appointing a DPO demonstrates to customers and business partners that you are serious about protecting personal data, which heightens the value you provide.
• Should the EU change requirements in such a way that your business does need a DPO in the future, you will be prepared.
• Many experts are calling GDPR “the tip of the iceberg” in terms of other countries and regions considering similar regulations. In these cases, it is likely that the GDPR will be used as a model. If, at some point in the future, one of the regions in which you do business requires you to have a DPO, your organization will be ahead of the curve. Not only will you already have the position already filled, but you’ll also have an individual on your team who is familiar with data protection law and can help guide your readiness plan for complying with the new regulation(s).

Finally, having a data protection officer is just good business. Data security is a prime concern for all organizations, and having an individual tasked specifically with securing your data can be a tremendous asset, even if it’s not required.