Many companies are currently considering, or looking to recruit, a Data Protection Officer (DPO) in their journey towards GDPR compliancy. A common misconception is that only companies with at least 250 employees would need one. Those are outdated (and potentially damaging) facts. Be cautious and double-check all the info you get – and assume your company needs a DPO as well!
Who is this DPO?
Summarized, the DPO monitors the organization’s compliance with the GDPR. In a bit more detail, the DPO:
- works cross-departmentally;
- reviews the company’s policies and practices;
- performs internal audits;
- is involved with, and provides advice on all issues regarding the protection of personal data;
- reports to the highest levels of management;
- is the organization’s official contact to cooperate with the Data Protection Authority.
Being a sui generis within the organization, the DPO enjoys specific rights and protections to properly execute his or her tasks. S/he may not be instructed on how to do exercise his or her tasks by management, and may not be dismissed or penalised for doing so. This is deliberately inconvenient for companies seeking to interpret the Regulation a bit more ‘pragmatically’.
Considering the short time left to reach compliance, there is a surprising lack of official certification methods for DPOs. Whereas multiple organizations provide crash courses, be aware that none of these has as of yet received a certification status by official certification bodies. As a ground rule, experience in and knowledge of relevant law, data security, and organizational consultancy should constitute fundamental characteristics of a good DPO.
Despite this presumed lack of certified DPO’s, it should be no luxury to consult one these days. Proper governance of personal data is either a dealmaker or dealbreaker in most industries. These ‘deals’ are spiced up a bit by the GDPR – as you might have guessed already. We know that the appointment of a DPO will be a significant weighing factor for Data Protection Authorities (DPAs), when verifying GDPR compliance. Moreover, the DPAs from the UK (ICO), the Netherlands (AP) and Canada (OPC) are currently working on building an international framework of cooperation for enforcement of the GDPR. Proper understanding and adherence is clearly recommendable.
You may wonder why Canada and the UK as (future) non-EU member states, bother to spend resources on enforcing the European data regulation. Just remember that the GDPR does not just affect companies with an establishment in the European Union, but any company, wherever on this globe it may be based – as long as it is in any way involved with the processing of data of subjects in the European Union. This scope could potentially include about any organization, so let us draw a clear image of what this means in practice.
Ambiguity and guidelines
Unfortunately that was easier said than done. The most straightforward text on DPOs can be found in Articles 37 to 39. In some national jurisdictions, appointing a DPO was already mandatory pre-GDPR. In the GDPR doing so is an absolute necessity, pan-Europe and abroad, if the rights conditions are met. The GDPR is somewhat vague on these conditions and more guidance was needed to translate the spirit of the law into a more practical interpretation. Two questions stand out specifically, both referring to article 37(1)(b)
- What is understood by monitoring of data subjects as part of a business’s “core activities”?
- How should we interpret this monitoring of data subjects “on a large scale”?
The WP29 recognized this ambiguity, and published additional guidelines in April 2017. Its three directions:
- Appointing a DPO is considered good practice and is encouraged, even when not required;
- Appointing a DPO is mandatory when data processing is part of a business’s core activity;
- If a business requires some sort of processing personal data to achieve its primary goals, then such processing is considered a core activity.
Let us now formulate an answer to our questions, using the case of PharmXample.
PharmXample is a pharmaceutical company focused on the manufacturing, marketing and sales of generic drugs throughout Europe and South Africa. Would you say that a PharmXample core business is processing personal data? Probably not. However, one of its core activities is the marketing and selling its innovations. To do so, PharmXample representatives require access to, and use of, physicians’ data. Despite this data being B2B, the data identifies natural persons, and is therefore within scope of the GDPR. Without these activities, PharmXample would not be able to sustain itself. Processing personal data is therefore inextricably linked with one of PharmXample’s core businesses, and a DPO is required.
With regard to the ‘large scale’: the WP29 notes the expectation that over time, a standard practice may develop when it comes to determine what exactly is understood by it. For now, companies are left to determine this for themselves. This makes it risky to assume you are on the safe side. Keep in mind the guidelines and realize that when audited, the logic of GDPR demands you to prove that you are explicitly exempted, rather than vice versa.
Appointing a DPO
So, you decided that it would be wise to hire a DPO, how would you go about doing so? You may choose to either hire your own full-time DPO, or to hire one externally based on your budget, needs, and context. As of now, there are (still) no clear guidelines on how to recognize a qualified DPO – other than references and experience. We expect that from 2018 on, there may be more clarity on official DPO-certifications.
We think that the question should not be if you need a DPO to be compliant; if anything, the DPO provides a terrific opportunity to prepare for the future – where strategic, sustainable and accountable governance of personal data determines long-term success.